amadey

Resubmissions

15/02/2025, 17:38

250215-v7s4wavqer 9

15/02/2025, 16:59

250215-vhpedsvlbs 10

15/02/2025, 16:37

250215-t447astqav 10

Sharing

Copy URL

Twitter E-mail

General

Target

8ZSZQ_random.exe
Size

1.8MB
Sample

250215-t447astqav
MD5

411303148c2c132ec3b30a97c1936cf9
SHA1

9693f9e29924d1bbb1bf87f10707c74d1df7e996
SHA256

dc9c553a3ff7574b1007f70a911f10ca22590a7661dfb84a25c5009d1b564fbb
SHA512

f27dce51cbed73bb3f1b8fb977d3168f5778bab24b4c762f16333adfb9d93ce1b476a3277d994ee429781919385846c68c618c5d72b38ca6a7bc82f9c658dbdd
SSDEEP

24576:5oplyMtRrcEVZQuiws76pon4/JaaT2cEMeUkt2BgHTczSS/yyvX6em4yWgw:5opPR5ZQuiws76p/iSiAllyyvdm4I

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Path

C:\Program Files\7-Zip\Lang\HOW TO DECRYPT FILES.txt

Ransom Note

YOUR SYSTEM IS LOCKED AND ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. DON'T WORRY YOUR FILES ARE SAFE. TO RETURN ALL THE NORMALLY YOU MUST BUY THE CERBER DECRYPTOR PROGRAM. PAYMENTS ARE ACCEPTED ONLY THROUGH THE BITCOIN NETWORK. YOU CAN GET THEM VIA ATM MACHINE OR ONLINE https://coinatmradar.com/ (find a ATM) https://www.localbitcoins.com/ (buy instantly online any country) 1. Visit qtox.github.io 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 677DD06ED071E4B557FF3D9236ACD21AFECBA485C6643AB84F766060B967DC6E0CFC34DDD9A0 Subject : SYSTEM-LOCKED-ID: 90890423 Payment 10 000$ BTC

URLs

https://coinatmradar.com/

https://www.localbitcoins.com/

Extracted

Family

xenorat

196.251.87.37

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4782
startup_name
nothingset

Extracted

Family

lumma

https://paleboreei.biz/api

Targets

- Target
  
  8ZSZQ_random.exe
- Size
  
  1.8MB
- MD5
  
  411303148c2c132ec3b30a97c1936cf9
- SHA1
  
  9693f9e29924d1bbb1bf87f10707c74d1df7e996
- SHA256
  
  dc9c553a3ff7574b1007f70a911f10ca22590a7661dfb84a25c5009d1b564fbb
- SHA512
  
  f27dce51cbed73bb3f1b8fb977d3168f5778bab24b4c762f16333adfb9d93ce1b476a3277d994ee429781919385846c68c618c5d72b38ca6a7bc82f9c658dbdd
- SSDEEP
  
  24576:5oplyMtRrcEVZQuiws76pon4/JaaT2cEMeUkt2BgHTczSS/yyvX6em4yWgw:5opPR5ZQuiws76p/iSiAllyyvdm4I
Score

10^/10

amadey povertystealer 9c9aa5 defense_evasion discovery spyware stealer trojan lumma stealc xenorat xmrig xorist reno execution miner persistence ransomware rat themida upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Detect Poverty Stealer Payload
- Detect XenoRat Payload
- Detected Xorist Ransomware
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Poverty Stealer
  Poverty Stealer is a crypto and infostealer written in C++.
  stealer povertystealer
- Povertystealer family
  povertystealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Xenorat family
  xenorat
- Xmrig family
  xmrig
- Xorist Ransomware
  Xorist is a ransomware first seen in 2020.
  ransomware xorist
- Xorist family
  xorist
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Renames multiple (3618) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  defense_evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2