amadey

Sharing

Copy URL

Twitter E-mail

General

Target

2b61614ceb74a081d8a0683f353fdec509e976cdd3004c10f8c977c6ce17c470
Size

5.5MB
Sample

250220-p4ejesvnh1
MD5

d0a8f8009be5fca50f51f921172f1c09
SHA1

fb248ffa5b3016254ac0f42412fe68e1d38761ef
SHA256

2b61614ceb74a081d8a0683f353fdec509e976cdd3004c10f8c977c6ce17c470
SHA512

d3e56567fb53f487ffbe7e79794e09b61f688a35cfeadf1f58a1039cc54aa3a6c2637be7deb0e6a86c66e59d49ac034f01d55d1911054613b11d625d58687fb9
SSDEEP

98304:rvdN5/3I03K4/mEAynzEaWnHY1QSFFO9w9u7AYqTdp8FxFvf8lS1IenvCN9ySf3w:xN5/Y03j/mEAd3Y1QSFFOp770P8F7f8D

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

systembc

cobolrationumelawrtewarms.co:4001

93.186.202.3:4001

Attributes

dns
5.132.191.104

ns1.vic.au.dns.opennic.glue

ns2.vic.au.dns.opennic.glue

Extracted

Path

C:\Users\Admin\Desktop\IMPORTANT_FILE_2.txt

Ransom Note

### IMPORTANT INFO ### All your files have been encrypted. If you want to restore them, write us to the e-mail: [email protected] Write this ID in the title of your message: OXT4R548S You have to pay for decryption in Bitcoin. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. ### Free decryption as guarantee ### Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10MB (non archived) and files should not contain valuable information (databases, backups, large Excel sheets, etc.)

Emails

[email protected]

Extracted

Family

stealc

Botnet

default

http://ecozessentials.com

Attributes

url_path
/e6cb1c8fc7cd1659.php

Extracted

Family

lumma

https://penetratebatt.pw/api

Targets

- Target
  
  2b61614ceb74a081d8a0683f353fdec509e976cdd3004c10f8c977c6ce17c470
- Size
  
  5.5MB
- MD5
  
  d0a8f8009be5fca50f51f921172f1c09
- SHA1
  
  fb248ffa5b3016254ac0f42412fe68e1d38761ef
- SHA256
  
  2b61614ceb74a081d8a0683f353fdec509e976cdd3004c10f8c977c6ce17c470
- SHA512
  
  d3e56567fb53f487ffbe7e79794e09b61f688a35cfeadf1f58a1039cc54aa3a6c2637be7deb0e6a86c66e59d49ac034f01d55d1911054613b11d625d58687fb9
- SSDEEP
  
  98304:rvdN5/3I03K4/mEAynzEaWnHY1QSFFO9w9u7AYqTdp8FxFvf8lS1IenvCN9ySf3w:xN5/Y03j/mEAd3Y1QSFFOp770P8F7f8D
Score

10^/10

amadey healer lumma stealc systembc 9c9aa5 default reno defense_evasion discovery dropper evasion execution persistence privilege_escalation pyinstaller ransomware spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Healer family
  healer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Systembc family
  systembc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Boot or Logon Autostart Execution: Authentication Package
  Suspicious Windows Authentication Registry Modification.
  persistence privilege_escalation
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1