amadey | 72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9 | Triage

Sharing

General

Target

Requirements.scr
Size

45.2MB
Sample

241023-b5l31axakk
MD5

3984a66e5b78113a55d22f9c2f3af1bc
SHA1

16895f9541767e859eb7784b70804623eaa48b2c
SHA256

72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9
SHA512

b44cc041f9df8eaf28fee92a701dfc9d45b458b3310a248d1ca466c313bb26466ea098f15bee119999c4e8f08c8bc63f50e783da98b72863180440fd4373547c
SSDEEP

786432:+1prb/zUF2kVcAQDv8vK6BneoexUqOLb55j0JJ3gTsGN3pxNy:ypLUAk+NqBsxUqcpxsMXc

Score

10^/10

amadey lumma rhadamanthys 76a1c5 discovery execution stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

76a1c5

C2

http://185.208.158.96

Attributes

install_dir
9b94b7e626
install_file
Gxtuum.exe
strings_key
7ec67893d851db775fae22819287705c
url_paths
/mzmtrpwoe113ee/index.php

rc4.plain

Extracted

Family

rhadamanthys

C2

https://185.196.11.237:9697/f002171ab05c7/hip4946p.881o6

Extracted

Family

lumma

C2

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Targets

- Target
  
  Requirements.scr
- Size
  
  45.2MB
- MD5
  
  3984a66e5b78113a55d22f9c2f3af1bc
- SHA1
  
  16895f9541767e859eb7784b70804623eaa48b2c
- SHA256
  
  72404ecb9dff0bbdb1296b7be79515ebf9323101374385476c282812517c43d9
- SHA512
  
  b44cc041f9df8eaf28fee92a701dfc9d45b458b3310a248d1ca466c313bb26466ea098f15bee119999c4e8f08c8bc63f50e783da98b72863180440fd4373547c
- SSDEEP
  
  786432:+1prb/zUF2kVcAQDv8vK6BneoexUqOLb55j0JJ3gTsGN3pxNy:ypLUAk+NqBsxUqcpxsMXc
Score

10^/10

amadey lumma rhadamanthys 76a1c5 discovery execution stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeylummarhadamanthys76a1c5discoveryexecutionstealertrojan

behavioral2

amadeylummarhadamanthys76a1c5discoveryexecutionstealertrojan