amadey

Sharing

General

Target

eecfaa71ab031c184557f1d78a349f095ace00b1087f315f26bcba1a58bdda2f
Size

1.8MB
Sample

240422-cg6ceaed7w
MD5

6c67b47d5143751ae9b44d28da8a6c97
SHA1

af094fc26169f2c19582f4efab2aadbb2660c067
SHA256

eecfaa71ab031c184557f1d78a349f095ace00b1087f315f26bcba1a58bdda2f
SHA512

21b3ca1c2cf77f7753e9c4b0e9cac3c19ad2702bafb31240ae0e1742087e245e3f5f35cc3c610ec0ebfeb68a7aca807dcdf8ee55636cf67cd6746b5784fa8024
SSDEEP

24576:3S+aOCJYqG2wXzsUJy26P7h0pq3P/W341WOgTcxY4IKj48yFXEhjiV/uK9Ud2oGB:i5JYH2qg2yn0w3P/HhKF7V/ueUKshp

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

redline

Botnet

@OLEH_PSP

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.184.225.183:30592

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Targets

- Target
  
  eecfaa71ab031c184557f1d78a349f095ace00b1087f315f26bcba1a58bdda2f
- Size
  
  1.8MB
- MD5
  
  6c67b47d5143751ae9b44d28da8a6c97
- SHA1
  
  af094fc26169f2c19582f4efab2aadbb2660c067
- SHA256
  
  eecfaa71ab031c184557f1d78a349f095ace00b1087f315f26bcba1a58bdda2f
- SHA512
  
  21b3ca1c2cf77f7753e9c4b0e9cac3c19ad2702bafb31240ae0e1742087e245e3f5f35cc3c610ec0ebfeb68a7aca807dcdf8ee55636cf67cd6746b5784fa8024
- SSDEEP
  
  24576:3S+aOCJYqG2wXzsUJy26P7h0pq3P/W341WOgTcxY4IKj48yFXEhjiV/uK9Ud2oGB:i5JYH2qg2yn0w3P/HhKF7V/ueUKshp
Score

10^/10

amadey lumma redline stealc zgrat @oleh_psp livetraffic test1234 discovery evasion infostealer rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Detect ZGRat V1

Lumma Stealer

RedLine

RedLine payload

Stealc

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2