amadey

General

Target

f8d7b0335fd968d6dadd59a5a07dcccbd3cd4b3cb774125919f24c5ea9b16b2e
Size

1.8MB
Sample

240620-n6erjazhjq
MD5

c9f33b0eb5efcbd66d0a3c3514113552
SHA1

624707c2dd7281644102e3bffc0d69c082ca0131
SHA256

f8d7b0335fd968d6dadd59a5a07dcccbd3cd4b3cb774125919f24c5ea9b16b2e
SHA512

017a06216bd48321e97ddc003bdab6afc91b6711ebdcf466306d87b11d1e6d2c95e682206879a1695224618c74e954e10a1f332a714e3f1c421a793a7927bf99
SSDEEP

24576:GKU0DkopQkErIPy3/T7QL9JL+D80DzoPJ2K8rflNMsPvyjsPnZ0eWCmYxKpbFhXi:GzB3PfQDCDnzaojrdtvmbRCnEJXF

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

4.185.27.237:13528

Extracted

Family

redline

Botnet

newbild

C2

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

C2

185.172.128.33:8970

Extracted

Family

lumma

C2

https://parallelmercywksoffw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://barebrilliancedkoso.shop/api

https://willingyhollowsk.shop/api

https://distincttangyflippan.shop/api

https://macabrecondfucews.shop/api

https://greentastellesqwm.shop/api

https://stickyyummyskiwffe.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

Targets

- Target
  
  f8d7b0335fd968d6dadd59a5a07dcccbd3cd4b3cb774125919f24c5ea9b16b2e
- Size
  
  1.8MB
- MD5
  
  c9f33b0eb5efcbd66d0a3c3514113552
- SHA1
  
  624707c2dd7281644102e3bffc0d69c082ca0131
- SHA256
  
  f8d7b0335fd968d6dadd59a5a07dcccbd3cd4b3cb774125919f24c5ea9b16b2e
- SHA512
  
  017a06216bd48321e97ddc003bdab6afc91b6711ebdcf466306d87b11d1e6d2c95e682206879a1695224618c74e954e10a1f332a714e3f1c421a793a7927bf99
- SSDEEP
  
  24576:GKU0DkopQkErIPy3/T7QL9JL+D80DzoPJ2K8rflNMsPvyjsPnZ0eWCmYxKpbFhXi:GzB3PfQDCDnzaojrdtvmbRCnEJXF
Score

10^/10

amadey lumma monster redline stormkitty @logscloudyt_bot e76b71 livetraffic newbild evasion execution infostealer stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Monster Stealer.
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Monster
  Monster is a Golang stealer that was discovered in 2024.
  stealer monster
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2