amadey

Sharing

Copy URL

Twitter E-mail

General

Target

5716ca13a390d744b1276a1ca83f837f55f797a53b68fa1c738939c94f19f52d
Size

1.8MB
Sample

240413-vrv9asab2t
MD5

14a7790619e67fb66bb29ad3a979c36b
SHA1

fe798ec4724910cd0de19a21ee879846bf66dab1
SHA256

5716ca13a390d744b1276a1ca83f837f55f797a53b68fa1c738939c94f19f52d
SHA512

9a5ed60fbce5a1c79c8bc0bfc5f60275eb908b1a36836931e06c4152b0dac545456b5a446e43578d16226dba153ff3b52716cdb4f3a714f095f9c97972f2eb1f
SSDEEP

49152:oLTzyXuLotS3ZcX0s8vOBLurW1gPXMaQymX1OoC4HcT7tz/J:oLTeeLD3ZjrvOBLPR8mBu

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

risepro

193.233.132.74:58709

Extracted

Family

remcos

Botnet

Install

elmauz.freemyip.com:7927

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
wischt.exe
copy_folder
wischt
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
centos
mouse_option
false
mutex
Rmc-UMBK7C
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Targets

- Target
  
  5716ca13a390d744b1276a1ca83f837f55f797a53b68fa1c738939c94f19f52d
- Size
  
  1.8MB
- MD5
  
  14a7790619e67fb66bb29ad3a979c36b
- SHA1
  
  fe798ec4724910cd0de19a21ee879846bf66dab1
- SHA256
  
  5716ca13a390d744b1276a1ca83f837f55f797a53b68fa1c738939c94f19f52d
- SHA512
  
  9a5ed60fbce5a1c79c8bc0bfc5f60275eb908b1a36836931e06c4152b0dac545456b5a446e43578d16226dba153ff3b52716cdb4f3a714f095f9c97972f2eb1f
- SSDEEP
  
  49152:oLTzyXuLotS3ZcX0s8vOBLurW1gPXMaQymX1OoC4HcT7tz/J:oLTeeLD3ZjrvOBLPR8mBu
Score

10^/10

amadey glupteba lumma redline remcos risepro stealc zgrat @oleh_psp install livetraffic discovery dropper evasion infostealer loader persistence rat spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies firewall policy service
  evasion
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2