amadey | 2a571c59ffbf801083d9ba971d4b52cee9661f19086283cfb1d59235d1e0f08c

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.2MB
MD5

f751716f05d99853f2990902a7a0fba2
SHA1

08c84f7a3f066fea39e6328c469364233640aa08
SHA256

2a571c59ffbf801083d9ba971d4b52cee9661f19086283cfb1d59235d1e0f08c
SHA512

649505c753582f06ced51949e6cd2c89d451aeac3354b3675e6a36388358ce243b266146f01de6f2d47edc0a55fddb9680ab2717b2b628bb51fb642a884ff160
SSDEEP

196608:td82bRN0BOsEWbVdjpP+cQ6Q9WvbqrZ+:fN04WbVld+vUqZ

Score

10^/10

amadey lumma 092155 defense_evasion discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://wclarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://easyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://uu5salaccgfa.top/gsooz

https://axzestmodp.top/zeda

https://gyxcelmodo.run/nahd

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2B0712.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1J12M0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1J12M0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1J12M0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2B0712.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2B0712.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	1J12M0.exe

Executes dropped EXE 6 IoCs

pid	Process
3632	I1O69.exe
2760	1J12M0.exe
6116	rapes.exe
4052	2B0712.exe
5288	rapes.exe
5312	rapes.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Wine	1J12M0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Wine	2B0712.exe
Key opened	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Software\Wine	rapes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	I1O69.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2760	1J12M0.exe
6116	rapes.exe
4052	2B0712.exe
5288	rapes.exe
5312	rapes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1J12M0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	I1O69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1J12M0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2B0712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2760	1J12M0.exe
2760	1J12M0.exe
6116	rapes.exe
6116	rapes.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
4052	2B0712.exe
5288	rapes.exe
5288	rapes.exe
5312	rapes.exe
5312	rapes.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	4052	2B0712.exe
Token: SeImpersonatePrivilege	4052	2B0712.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5220 wrote to memory of 3632	5220	random.exe	82
PID 5220 wrote to memory of 3632	5220	random.exe	82
PID 5220 wrote to memory of 3632	5220	random.exe	82
PID 1224 wrote to memory of 3828	1224	cmd.exe	83
PID 1224 wrote to memory of 3828	1224	cmd.exe	83
PID 3632 wrote to memory of 2760	3632	I1O69.exe	86
PID 3632 wrote to memory of 2760	3632	I1O69.exe	86
PID 3632 wrote to memory of 2760	3632	I1O69.exe	86
PID 3308 wrote to memory of 5416	3308	cmd.exe	87
PID 3308 wrote to memory of 5416	3308	cmd.exe	87
PID 2760 wrote to memory of 6116	2760	1J12M0.exe	88
PID 2760 wrote to memory of 6116	2760	1J12M0.exe	88
PID 2760 wrote to memory of 6116	2760	1J12M0.exe	88
PID 3632 wrote to memory of 4052	3632	I1O69.exe	89
PID 3632 wrote to memory of 4052	3632	I1O69.exe	89
PID 3632 wrote to memory of 4052	3632	I1O69.exe	89

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I1O69.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I1O69.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1J12M0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1J12M0.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2B0712.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2B0712.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:5416

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5288

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5312

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3D83k.exe

Filesize
2.4MB

MD5
a4bc02bc055210a40a61df94f176928b

SHA1
4522e3450b66bd0da8623e16cef73ffe495082cb

SHA256
6ccbe9a84e3ca24016683f55814b882f8609423955acfea9587fb2a3ae48fdf1

SHA512
84640d2db0b528e1f691c11e0cea770d6359ac8b42e7802a421dc90fe4d8ed9e99f4f61e065c79e3189beb4af1942c78a6970baa51d3b9445f18dbaaa67c03a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I1O69.exe

Filesize
3.8MB

MD5
3a9f6b1a8eb6e7af06e6ed8573dfce8e

SHA1
971a0843491c2ae53d4798dc4cd9c394a2c06f54

SHA256
b075732695378864af9eee06e6dc29f8956d5f72e1508bcb1677c5fcbf63644d

SHA512
3e15bbf23ce7c802085cd8876a489b7b03095eb127549b3e33b96b1b49fae57e19642b438fa5ae07ebe78f362b13779604aade89b91e513bbeceea49b10d8944

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1J12M0.exe

Filesize
2.1MB

MD5
9e3768b4d556fa13b3138fa0bfc87ada

SHA1
03ad8e08a5154ba7c16672a313dd15235db7ab34

SHA256
f2c97a36c4c17e511516dff225d42230023bcdd5c90d725963690564b6ac4362

SHA512
2e55d39b5a1c83cef7a49ef977a2a50d83b978286c57daf2d2e1d644ed36299da1bd0d3bdf1aa1d228b50660335ef2a2641c9c12b1afe6bc9642e04be87f50b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2B0712.exe

Filesize
1.8MB

MD5
794d7f6a5d6267b55676576fca930053

SHA1
c1fec8b1dff294222e2e351e046d6e2952820da8

SHA256
63918e46602e4b0d1f1433ced81587f58f12b0b79ab52a586c3fcb51157d51f8

SHA512
c7d1c4ed1960fdd6b9b728c0b5350ac5c96f8b2a925034f814cf0029ee8955d7f4ffb15a717a6ec941c1332f6082e30e7f12d1f1425c7c47a208a36cda196ca4

Download Submit
memory/2760-28-0x0000000000360000-0x000000000081E000-memory.dmp

Filesize
4.7MB

Download
memory/2760-15-0x0000000000360000-0x000000000081E000-memory.dmp

Filesize
4.7MB

Download
memory/4052-33-0x0000000000FB0000-0x0000000001463000-memory.dmp

Filesize
4.7MB

Download
memory/4052-37-0x0000000000FB0000-0x0000000001463000-memory.dmp

Filesize
4.7MB

Download
memory/4052-47-0x0000000000FB0000-0x0000000001463000-memory.dmp

Filesize
4.7MB

Download
memory/4052-39-0x0000000000FB0000-0x0000000001463000-memory.dmp

Filesize
4.7MB

Download
memory/4052-46-0x0000000000FB0000-0x0000000001463000-memory.dmp

Filesize
4.7MB

Download
memory/4052-41-0x0000000000FB0000-0x0000000001463000-memory.dmp

Filesize
4.7MB

Download
memory/5288-44-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/5288-43-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/5312-55-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/5312-54-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-34-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-45-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-40-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-38-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-48-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-49-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-50-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-51-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-52-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-35-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-29-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-56-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-57-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-58-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-59-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download
memory/6116-60-0x0000000000720000-0x0000000000BDE000-memory.dmp

Filesize
4.7MB

Download