Overview

overview

10

Static

static

3

ded5a18128...d9.exe

windows7-x64

10

ded5a18128...d9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    41e1b89657936a9f325d226251164e1b.bin

  • Size

    1.7MB

  • Sample

    241217-bldbrawqgm

  • MD5

    1c9f1e343dbe6e903c16725ed6352c42

  • SHA1

    d22d8bda95e8f00c65473cf276f55377bc1eeba0

  • SHA256

    ab377eaf22c6c3075e1acbac9298783a47668f4d05d0cbd5f0e5612012709161

  • SHA512

    0624b35aba24317c398214f046803c96fc7ef5e36c1436f8ff4a3d7b6bd3e68eb05a4e175fb29a20afc067dbd299e8024d1345e7e4502143009a090a16c240bf

  • SSDEEP

    49152:exZCn7XhJ/h1Rb34aQ84dKiNoep/BBUaS:exZOJ/hTboaQtMUAaS

Score
10/10
amadeylummaxmrig9c9aa5discoveryevasionminerstealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Targets

    • Target

      ded5a181286b7bf7971993b0392ee15dec6d42f4b48f5356b3b89d9f2aed48d9.exe

    • Size

      2.9MB

    • MD5

      41e1b89657936a9f325d226251164e1b

    • SHA1

      de03b88abbdeb975e8aa2094a38bf98b7840f13b

    • SHA256

      ded5a181286b7bf7971993b0392ee15dec6d42f4b48f5356b3b89d9f2aed48d9

    • SHA512

      bd859efdd017b1fa470ad5b6eeb31b0cf782fc4182d48a4de31a8bdd693415af062ef0ac514ff36e0faa52125fc79cccb15f828fd1a9b7929d59b40b2dfa02e4

    • SSDEEP

      49152:jRRnBqjB9QLCF6JHaPQucq0KpOmgvrHOVzqT:jR9BuB94CF6JHWpBpOmUbOVS

    Score
    10/10
    amadeylummaxmrig9c9aa5discoveryevasionminerstealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xmrig family

      xmrig

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks