amadey | 51ab4e0f6c15eff6a797de8425f07cdb597016e0d825939e5ef4c0f5c6c611d3

Analysis

max time kernel
143s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.2MB
MD5

bab6c308a5bc847b003f6b0a97029c4a
SHA1

ce02c7fc53cc4f33ece5fc50253e953d700fec19
SHA256

51ab4e0f6c15eff6a797de8425f07cdb597016e0d825939e5ef4c0f5c6c611d3
SHA512

27c19d1b2a6151538813c4c3b4e9f27fad925f776b8b9928ed7e18c7d23e9102883b8e4bb0b89ff226792cfce3c56c75ea2d6568e5b8ef7ab69c7b614ab28105
SSDEEP

196608:hxsPOxj9TOoc1KDpf2m8B8hn1fsQjAIt5iH1j/AK:hWajNOhmlHDsQkIDiHF/A

Score

10^/10

amadey lumma 092155 defense_evasion discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://clarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://easyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1o78s2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2N8566.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1o78s2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2N8566.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2N8566.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1o78s2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	1o78s2.exe

Executes dropped EXE 6 IoCs

pid	Process
5172	i4i66.exe
6100	1o78s2.exe
5608	rapes.exe
380	2N8566.exe
1924	rapes.exe
4488	rapes.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	1o78s2.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	2N8566.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i4i66.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
6100	1o78s2.exe
5608	rapes.exe
380	2N8566.exe
1924	rapes.exe
4488	rapes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1o78s2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i4i66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1o78s2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2N8566.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
6100	1o78s2.exe
6100	1o78s2.exe
5608	rapes.exe
5608	rapes.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
380	2N8566.exe
1924	rapes.exe
1924	rapes.exe
4488	rapes.exe
4488	rapes.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	380	2N8566.exe
Token: SeImpersonatePrivilege	380	2N8566.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
6100	1o78s2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 5172	2964	random.exe	88
PID 2964 wrote to memory of 5172	2964	random.exe	88
PID 2964 wrote to memory of 5172	2964	random.exe	88
PID 5172 wrote to memory of 6100	5172	i4i66.exe	89
PID 5172 wrote to memory of 6100	5172	i4i66.exe	89
PID 5172 wrote to memory of 6100	5172	i4i66.exe	89
PID 3844 wrote to memory of 2904	3844	cmd.exe	93
PID 3844 wrote to memory of 2904	3844	cmd.exe	93
PID 3676 wrote to memory of 2096	3676	cmd.exe	94
PID 3676 wrote to memory of 2096	3676	cmd.exe	94
PID 6100 wrote to memory of 5608	6100	1o78s2.exe	97
PID 6100 wrote to memory of 5608	6100	1o78s2.exe	97
PID 6100 wrote to memory of 5608	6100	1o78s2.exe	97
PID 5172 wrote to memory of 380	5172	i4i66.exe	98
PID 5172 wrote to memory of 380	5172	i4i66.exe	98
PID 5172 wrote to memory of 380	5172	i4i66.exe	98

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4i66.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4i66.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o78s2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o78s2.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2N8566.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2N8566.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:2096

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4488

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3q07b.exe

Filesize
2.4MB

MD5
08dfa744b2d4d3b8685f49a37f5d8c87

SHA1
35c9787aa93422a40b75aaa1ccbaf076e3034cfc

SHA256
fa7063effcb59df0012e18555f133df96e1679a68d5b4b17f4da2e539d7ef865

SHA512
c1a3c5d0cfd75fb369ba2887ceac6c0f06e507c5cc50da81ac1173ce88c74c84ae8f465a97e535b9c12b625e0dfb4f52185aa750cf9818025cf642888af9221d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4i66.exe

Filesize
3.8MB

MD5
5ad35e8ffa5c156c9d77c121d3bb18be

SHA1
b5def8cd444ff3524fb458037bdecc782a128afc

SHA256
4156817ea20a902aa3ff4b41f784c3764e2a572fdbccc1030de98901aa43629d

SHA512
11b081c1230ab6cbc4701b6926ebb4c8165c1ffd3290fc81f3ca14caf87941270770fb1e361f1957e296a4168e2007721d36821b8b23839fb2f591b4e7e60d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1o78s2.exe

Filesize
2.1MB

MD5
f465833f4f6c1786e7b1fb87f0995c44

SHA1
4452630ffd1f9ec4e1420956126d2fd115c1ddfa

SHA256
fcab315274fa4215f65d8b4410ee84fbd30af6e0a8987652d3ed6346cfde57e5

SHA512
98609049400b625485b030d2d7dd18f73c1f2bdb80dfa6c4a0819d71fc6ca0bc6463c6d7e352a08a77d5d121d8840dc79e80d15a47bc776be201dec01de810cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2N8566.exe

Filesize
1.8MB

MD5
894b0a2a87577a155ab8de52cdced523

SHA1
eda1e41eedbbd087af901ff6830510db946adcca

SHA256
c188e6136e9563a1da832784e8715103ad2d4d2523fa606a21b60d784f2055ed

SHA512
67da611e85c3ca98908e98d228659a3bd687b0fb7cc1c9591e35e9e08aaa6ec366e89070204446187199678edadd55279fe9f45eac7edeb61ec7994f967505d0

Download Submit
memory/380-48-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/380-41-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/380-33-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/380-37-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/380-39-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/380-43-0x00000000002E0000-0x0000000000787000-memory.dmp

Filesize
4.7MB

Download
memory/1924-47-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/1924-45-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/4488-56-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/4488-58-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-34-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-52-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-40-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-38-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-35-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-29-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-49-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-50-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-51-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-42-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-53-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-55-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-62-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-61-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-59-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/5608-60-0x0000000000060000-0x000000000052C000-memory.dmp

Filesize
4.8MB

Download
memory/6100-14-0x0000000000AB0000-0x0000000000F7C000-memory.dmp

Filesize
4.8MB

Download
memory/6100-28-0x0000000000AB0000-0x0000000000F7C000-memory.dmp

Filesize
4.8MB

Download