General

  • Target

    7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5

  • Size

    2MB

  • Sample

    231207-sfz21acd53

  • MD5

    91020e5674626296b45de52989d97be3

  • SHA1

    e1c95086cdfe8525c673fa45d8c1310efb45ff4a

  • SHA256

    7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5

  • SHA512

    22731558082adda43effe24732d9b4fb1fa5978a564cece18cc430eff9a4b0b5fa04424ac0027b0d3a09e21c12c531b44647e0b70e73372a1eb3b4b8ff00ba27

  • SSDEEP

    49152:0yj4+45+Lf+4nClgIi23U8Qgy4RqX6vkJ2D/Z8n1oUDc8s0vXwV2x:0b+4wLf+4nCgMU8/y4Rm6vkJ2lK1jkap

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Extracted

Family

lumma

C2

http://athwartchannelly.pw/api

Targets

    • Target

      7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5

    • Size

      2MB

    • MD5

      91020e5674626296b45de52989d97be3

    • SHA1

      e1c95086cdfe8525c673fa45d8c1310efb45ff4a

    • SHA256

      7ef9c8f05fc2ebd6d393a97415401b01be80ab827b85f35370480f9e42852dc5

    • SHA512

      22731558082adda43effe24732d9b4fb1fa5978a564cece18cc430eff9a4b0b5fa04424ac0027b0d3a09e21c12c531b44647e0b70e73372a1eb3b4b8ff00ba27

    • SSDEEP

      49152:0yj4+45+Lf+4nClgIi23U8Qgy4RqX6vkJ2D/Z8n1oUDc8s0vXwV2x:0b+4wLf+4nCgMU8/y4Rm6vkJ2lK1jkap

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Collection

Data from Local System

3
T1005

Tasks