General

  • Target

    87fbaa9b3ef4e605aaf8ad54819726540bea7b6393e213090dda98bc33f3d647N.exe

  • Size

    1.8MB

  • Sample

    241205-dqcl5awkbw

  • MD5

    3c8d4f3ec21d783b2f3707d8b3032f60

  • SHA1

    887569a68eafe58323538229a1c89a5681449a31

  • SHA256

    87fbaa9b3ef4e605aaf8ad54819726540bea7b6393e213090dda98bc33f3d647

  • SHA512

    9013cdd7985e2103cfb985126e4022697309abb705716fa3099e45dc2a4b7537be2e0df1bb9b489ea83cc159c3f8c36140fd0e4183a83b6eeea3a3cd19d93bed

  • SSDEEP

    24576:GiZI3q/ZYhTUvu4XYCK7mqtpvp8GPlAdD/9zmt26WeQcEcPH8GLMOMGEP0d:G0IqwUVXN+8GPap9iOrGLJM/P

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://ratiomun.cyou

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://ratiomun.cyou/api

Targets

    • Target

      87fbaa9b3ef4e605aaf8ad54819726540bea7b6393e213090dda98bc33f3d647N.exe

    • Size

      1.8MB

    • MD5

      3c8d4f3ec21d783b2f3707d8b3032f60

    • SHA1

      887569a68eafe58323538229a1c89a5681449a31

    • SHA256

      87fbaa9b3ef4e605aaf8ad54819726540bea7b6393e213090dda98bc33f3d647

    • SHA512

      9013cdd7985e2103cfb985126e4022697309abb705716fa3099e45dc2a4b7537be2e0df1bb9b489ea83cc159c3f8c36140fd0e4183a83b6eeea3a3cd19d93bed

    • SSDEEP

      24576:GiZI3q/ZYhTUvu4XYCK7mqtpvp8GPlAdD/9zmt26WeQcEcPH8GLMOMGEP0d:G0IqwUVXN+8GPap9iOrGLJM/P

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies Windows Defender Real-time Protection settings

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Enumerates VirtualBox registry keys

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks