amadey

Sharing

General

Target

fd5c06d42588d3522e11e164de54aed3c9d91a0172fddfbcb199832b35cc0de6
Size

2.9MB
Sample

241217-fn8ynasmfk
MD5

8e7103592157f25fa09a198285451ea6
SHA1

1f79ccd5ef49f473cfa6a514e4bca34458757dd8
SHA256

fd5c06d42588d3522e11e164de54aed3c9d91a0172fddfbcb199832b35cc0de6
SHA512

37b7f7e63d4027903868b8b17d1dc4928ed790fafe02fe20fb0f9fd60e6bc5f079a1219b8f0cdc844539e5ac71fc34627932e15f1418acd65390248b92da6d14
SSDEEP

49152:T0vaEOWLtGrw08d1JZfsaR5BP+ODkC/j5h7WVopSu04p/:o9OWLt6w08d1JZfsa/BP+ODJNh7WVopz

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

cryptbot

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://drive-connect.cyou/api

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

lumma

https://tacitglibbr.biz/api

https://shineugler.biz/api

Extracted

Family

gurcu

https://api.telegram.org/bot7587476277:AAEN7p2yOtrq884E9izAnIDu8WeE8vTqRjY/sendMessag

Targets

- Target
  
  fd5c06d42588d3522e11e164de54aed3c9d91a0172fddfbcb199832b35cc0de6
- Size
  
  2.9MB
- MD5
  
  8e7103592157f25fa09a198285451ea6
- SHA1
  
  1f79ccd5ef49f473cfa6a514e4bca34458757dd8
- SHA256
  
  fd5c06d42588d3522e11e164de54aed3c9d91a0172fddfbcb199832b35cc0de6
- SHA512
  
  37b7f7e63d4027903868b8b17d1dc4928ed790fafe02fe20fb0f9fd60e6bc5f079a1219b8f0cdc844539e5ac71fc34627932e15f1418acd65390248b92da6d14
- SSDEEP
  
  49152:T0vaEOWLtGrw08d1JZfsaR5BP+ODkC/j5h7WVopSu04p/:o9OWLt6w08d1JZfsa/BP+ODJNh7WVopz
Score

10^/10

amadey cryptbot stealc fed3aa stok discovery evasion persistence spyware stealer trojan exelastealer gurcu lumma default_valenciga collection credential_access defense_evasion privilege_escalation
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- CryptBot
  CryptBot is a C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Cryptbot family
  cryptbot
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Exelastealer family
  exelastealer
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates VirtualBox registry keys
  evasion
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2