amadey

Sharing

General

Target

697763fb463b16a3a9c824bfe460b62972d9e4513aed75b6e1e712ad4d154c66
Size

1.9MB
Sample

240418-2m76maha32
MD5

b811c0e23746667fd092b3e8db97b22f
SHA1

795e2c72200de940358bcbd208256c29fb92f23f
SHA256

697763fb463b16a3a9c824bfe460b62972d9e4513aed75b6e1e712ad4d154c66
SHA512

53811803c1e6e00a302e7294d2270b1646330af88ca8571d89c006c6b9513a9a4e7644c0295769ca827aaf82f0f86bedfe6c2d1121d75d41bace011ee11460e6
SSDEEP

49152:hBcnYqTRe9yKFqwNPuSqYvgeydXWH3jMHf:fcnYr9zNPxqYYYXY/

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.184.225.183:30592

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

Targets

- Target
  
  697763fb463b16a3a9c824bfe460b62972d9e4513aed75b6e1e712ad4d154c66
- Size
  
  1.9MB
- MD5
  
  b811c0e23746667fd092b3e8db97b22f
- SHA1
  
  795e2c72200de940358bcbd208256c29fb92f23f
- SHA256
  
  697763fb463b16a3a9c824bfe460b62972d9e4513aed75b6e1e712ad4d154c66
- SHA512
  
  53811803c1e6e00a302e7294d2270b1646330af88ca8571d89c006c6b9513a9a4e7644c0295769ca827aaf82f0f86bedfe6c2d1121d75d41bace011ee11460e6
- SSDEEP
  
  49152:hBcnYqTRe9yKFqwNPuSqYvgeydXWH3jMHf:fcnYr9zNPxqYYYXY/
Score

10^/10

amadey evasion trojan lumma redline stealc zgrat @oleh_psp livetraffic test1234 infostealer persistence rat stealer themida
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect ZGRat V1

Lumma Stealer

RedLine

RedLine payload

Stealc

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

Unexpected DNS network traffic destination

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2