amadey

Sharing

Copy URL

Twitter E-mail

General

Target

1285fdb82e7930812a9c52e680143cea311d8b147cb7aa8b6ea3637e8b94a9fc
Size

1.8MB
Sample

250309-yymsaazwev
MD5

7a51912053a6bf0831aa861b45f6c402
SHA1

7912df8443372c0929fb9c2fd8b0b5019969d142
SHA256

1285fdb82e7930812a9c52e680143cea311d8b147cb7aa8b6ea3637e8b94a9fc
SHA512

9e6ed09f7eccf79f18053ec68c0e496d222eb8599217c096c213e92b8d68a0ce2a6f418cc84df381a5c7fa4b526ed1078eedffadb6fb42ecbdfd69b3c890affc
SSDEEP

49152:+N0PauDiXiKu2Pj/pr2/rEz0EkeT+vDEqR:60Hidj/Ferq0E6DZR

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://garagedrootz.top/api

https://begindecafer.world/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://1sterpickced.digital/api

https://agroecologyguide.digital/api

https://explorebieology.run/api

https://kmoderzysics.top/api

https://seedsxouts.shop/api

https://rcodxefusion.top/api

https://farfinable.top/api

https://techspherxe.top/api

https://cropcircleforum.today/api

https://dawtastream.bet/api

https://foresctwhispers.top/api

https://tracnquilforest.life/api

https://xcollapimga.fun/api

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot8007077483:AAHM4_PlNxkpckDEqg6ywAn9tdKAEoUNe4o/sendMessage?chat_id=5243921565

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

lumma

https://agroecologyguide.digital/api

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

gurcu

https://api.telegram.org/bot8007077483:AAHM4_PlNxkpckDEqg6ywAn9tdKAEoUNe4o/sendMessage?chat_id=5243921565

https://api.telegram.org/bot8007077483:AAHM4_PlNxkpckDEqg6ywAn9tdKAEoUNe4o/sendDocument?chat_id=524392156

https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=528366295

Targets

- Target
  
  1285fdb82e7930812a9c52e680143cea311d8b147cb7aa8b6ea3637e8b94a9fc
- Size
  
  1.8MB
- MD5
  
  7a51912053a6bf0831aa861b45f6c402
- SHA1
  
  7912df8443372c0929fb9c2fd8b0b5019969d142
- SHA256
  
  1285fdb82e7930812a9c52e680143cea311d8b147cb7aa8b6ea3637e8b94a9fc
- SHA512
  
  9e6ed09f7eccf79f18053ec68c0e496d222eb8599217c096c213e92b8d68a0ce2a6f418cc84df381a5c7fa4b526ed1078eedffadb6fb42ecbdfd69b3c890affc
- SSDEEP
  
  49152:+N0PauDiXiKu2Pj/pr2/rEz0EkeT+vDEqR:60Hidj/Ferq0E6DZR
Score

10^/10

amadey asyncrat gcleaner lumma stormkitty xred 092155 default backdoor defense_evasion discovery execution loader persistence privilege_escalation rat spyware stealer trojan gurcu healer stealc xmrig trump credential_access dropper miner
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detects Healer an antivirus disabler dropper
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Gcleaner family
  gcleaner
- Gurcu family
  gurcu
- Gurcu, WhiteSnake
  Gurcu aka WhiteSnake is a malware stealer written in C#.
  stealer gurcu
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Healer family
  healer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Stormkitty family
  stormkitty
- Xmrig family
  xmrig
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Boot or Logon Autostart Execution: Authentication Package
  Suspicious Windows Authentication Registry Modification.
  persistence privilege_escalation
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2