amadey

General

Target

69f12161bd960117baf9728942be8ae7d34aeac22ffeff912dc8ab227a44229b
Size

3.1MB
Sample

241210-3dj8wavkcz
MD5

4f2646500156298bd82c572e6c8e4062
SHA1

44c4da3bd22fc6ac172a3847c3fbe9b88659c1ff
SHA256

69f12161bd960117baf9728942be8ae7d34aeac22ffeff912dc8ab227a44229b
SHA512

50235199c1e446fcc1a1bd93bbadf4c048ac363a472297e522cd32290f0c81318f8434120b5ee77c82bbd85f01af7eb962e71e4de54ccd59f5ff214208b9de39
SSDEEP

49152:icm/mmZYj4ofA2jiwMLgUg6UfV0yRVgH1oiZnus6:GHi4ofA2jieDVdRVK1Dnus

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8080

101.99.92.189:8080

Mutex

d5gQ6Zf7Tzih1Pi1

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

lumma

C2

https://covery-mover.biz/api

Targets

- Target
  
  69f12161bd960117baf9728942be8ae7d34aeac22ffeff912dc8ab227a44229b
- Size
  
  3.1MB
- MD5
  
  4f2646500156298bd82c572e6c8e4062
- SHA1
  
  44c4da3bd22fc6ac172a3847c3fbe9b88659c1ff
- SHA256
  
  69f12161bd960117baf9728942be8ae7d34aeac22ffeff912dc8ab227a44229b
- SHA512
  
  50235199c1e446fcc1a1bd93bbadf4c048ac363a472297e522cd32290f0c81318f8434120b5ee77c82bbd85f01af7eb962e71e4de54ccd59f5ff214208b9de39
- SSDEEP
  
  49152:icm/mmZYj4ofA2jiwMLgUg6UfV0yRVgH1oiZnus6:GHi4ofA2jieDVdRVK1Dnus
Score

10^/10

amadey gcleaner lumma stormkitty xworm 9c9aa5 discovery evasion loader rat spyware stealer trojan credential_access
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2