amadey

Sharing

Copy URL

Twitter E-mail

General

Target

3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603.exe
Size

1.8MB
Sample

240621-bkz45athqe
MD5

20fe52f3ba934b9b7454c194f44d74d0
SHA1

f38c3041926f329dac459bacce67850dc58ab15a
SHA256

3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
SHA512

de74eaa8fcd2dc40da40f09e4c69f41c63282c1d70f352fe3e6f0b7ef70318f5252e520574d428f1bd5c24dc6d55acab9f109b6a6c36718df1f9ead25effccfc
SSDEEP

24576:1/JK2aIjA7qco3fFT9eSzR160c8LE8x+dyh9tfzHEBZ/QJc0erHIuoDaFtTNihZi:VlfA7kvFJRPpAC+UdTmtQCtouortLka

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

4.185.27.237:13528

Extracted

Family

lumma

https://willingyhollowsk.shop/api

https://parallelmercywksoffw.shop/api

https://distincttangyflippan.shop/api

https://liabiliytshareodlkv.shop/api

https://macabrecondfucews.shop/api

https://notoriousdcellkw.shop/api

https://greentastellesqwm.shop/api

https://conferencefreckewl.shop/api

https://stickyyummyskiwffe.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://barebrilliancedkoso.shop/api

https://sturdyregularrmsnhw.shop/api

https://lamentablegapingkwaq.shop/api

https://innerverdanytiresw.shop/api

https://standingcomperewhitwo.shop/api

https://accumulationeyerwos.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

Targets

- Target
  
  3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603.exe
- Size
  
  1.8MB
- MD5
  
  20fe52f3ba934b9b7454c194f44d74d0
- SHA1
  
  f38c3041926f329dac459bacce67850dc58ab15a
- SHA256
  
  3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
- SHA512
  
  de74eaa8fcd2dc40da40f09e4c69f41c63282c1d70f352fe3e6f0b7ef70318f5252e520574d428f1bd5c24dc6d55acab9f109b6a6c36718df1f9ead25effccfc
- SSDEEP
  
  24576:1/JK2aIjA7qco3fFT9eSzR160c8LE8x+dyh9tfzHEBZ/QJc0erHIuoDaFtTNihZi:VlfA7kvFJRPpAC+UdTmtQCtouortLka
Score

10^/10

amadey monster redline risepro 0e6740 e76b71 newbild discovery evasion execution infostealer persistence pyinstaller spyware stealer themida trojan exelastealer lumma @logscloudyt_bot livetraffic defense_evasion privilege_escalation
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Monster Stealer.
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Monster
  Monster is a Golang stealer that was discovered in 2024.
  stealer monster
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2