amadey

Sharing

Copy URL

Twitter E-mail

General

Target

a2e2d2eda2840763380435b4e1ec84476d1de5fd4e69efc32aa385910c172a8f
Size

1.8MB
Sample

240708-fqneqstdmm
MD5

19a38385f077241168986482aca1745e
SHA1

72eebe027f024674814b165393af33b917a77e7e
SHA256

a2e2d2eda2840763380435b4e1ec84476d1de5fd4e69efc32aa385910c172a8f
SHA512

0df2c4752effe858bae2edf474116ba517e7f03dcbc861b0f6da36b0e15f80e968012146d223bc03e1f269e830da381ad99153158c655992b0f49f3806ac33aa
SSDEEP

24576:x6/rcC6mfBhc/wRRcxFeUTLYf6/eJj95FUHMBzp0ey08kkaIwHh7VZwZD1ltmEOC:xMFMIqxF/WrRhzKS8kk6Hwr3uQYP

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Extracted

Family

asyncrat

Version

0.0.1A

Botnet

Default

185.216.214.217:5858

Mutex

fghre9ijuve9 juejuoirujiovijo

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://affecthorsedpo.shop/api

Targets

- Target
  
  a2e2d2eda2840763380435b4e1ec84476d1de5fd4e69efc32aa385910c172a8f
- Size
  
  1.8MB
- MD5
  
  19a38385f077241168986482aca1745e
- SHA1
  
  72eebe027f024674814b165393af33b917a77e7e
- SHA256
  
  a2e2d2eda2840763380435b4e1ec84476d1de5fd4e69efc32aa385910c172a8f
- SHA512
  
  0df2c4752effe858bae2edf474116ba517e7f03dcbc861b0f6da36b0e15f80e968012146d223bc03e1f269e830da381ad99153158c655992b0f49f3806ac33aa
- SSDEEP
  
  24576:x6/rcC6mfBhc/wRRcxFeUTLYf6/eJj95FUHMBzp0ey08kkaIwHh7VZwZD1ltmEOC:xMFMIqxF/WrRhzKS8kk6Hwr3uQYP
Score

10^/10

amadey monster raccoon redline stealc vidar e76b71 newbuild zov discovery evasion execution infostealer spyware stealer trojan asyncrat lumma @logscloudyt_bot default livetraffic rat
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Detect Vidar Stealer
  stealer
- Detects Monster Stealer.
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Monster
  Monster is a Golang stealer that was discovered in 2024.
  stealer monster
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V2 payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

AsyncRat

Detect Vidar Stealer

Detects Monster Stealer.

Lumma Stealer

Monster

Raccoon

Raccoon Stealer V2 payload

RedLine

RedLine payload

Stealc

Vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2