amadey | 34aa4edab56f1ae6bd2bbb23496865c6665be6323cf99ccfc250804c9538d0f9

Analysis

max time kernel
143s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

6.2MB
MD5

a92c72014f3f7ec39fd65b080bd69092
SHA1

767c7b059d95e2a0defd8eafb226e5ca2c8f0726
SHA256

34aa4edab56f1ae6bd2bbb23496865c6665be6323cf99ccfc250804c9538d0f9
SHA512

e4aa6b6e80f388c06e4f2f92f12aa4964499ea88e28edd9d2edb153b09a93ec3681b48a330ce144232ba74eb0d0865ae979d96241cd1595628b9b85753d3385a
SSDEEP

98304:iTFzc2Bgbvv4NOCMH8Y6KpMAa2QiVn31RtFRiuk0N3A9vIDzML6/KMn7:ierv4MHyKpMpQlRzRi/0N3AwDzLCM

Score

10^/10

amadey lumma 092155 defense_evasion discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://clarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://ueasyupgw.live/eosz

https://liftally.top/xasj

https://upmodini.digital/gokk

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1W41I0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2E3402.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2E3402.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2E3402.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1W41I0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1W41I0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	1W41I0.exe

Executes dropped EXE 6 IoCs

pid	Process
732	E3O02.exe
3056	1W41I0.exe
1508	rapes.exe
824	2E3402.exe
4212	rapes.exe
2384	rapes.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	1W41I0.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	2E3402.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	random.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	E3O02.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3056	1W41I0.exe
1508	rapes.exe
824	2E3402.exe
4212	rapes.exe
2384	rapes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1W41I0.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2E3402.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E3O02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1W41I0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3056	1W41I0.exe
3056	1W41I0.exe
1508	rapes.exe
1508	rapes.exe
824	2E3402.exe
824	2E3402.exe
824	2E3402.exe
824	2E3402.exe
824	2E3402.exe
824	2E3402.exe
824	2E3402.exe
824	2E3402.exe
4212	rapes.exe
4212	rapes.exe
2384	rapes.exe
2384	rapes.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	824	2E3402.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3056	1W41I0.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 732	4996	random.exe	88
PID 4996 wrote to memory of 732	4996	random.exe	88
PID 4996 wrote to memory of 732	4996	random.exe	88
PID 732 wrote to memory of 3056	732	E3O02.exe	89
PID 732 wrote to memory of 3056	732	E3O02.exe	89
PID 732 wrote to memory of 3056	732	E3O02.exe	89
PID 1956 wrote to memory of 3504	1956	cmd.exe	91
PID 1956 wrote to memory of 3504	1956	cmd.exe	91
PID 3632 wrote to memory of 4284	3632	cmd.exe	93
PID 3632 wrote to memory of 4284	3632	cmd.exe	93
PID 3056 wrote to memory of 1508	3056	1W41I0.exe	97
PID 3056 wrote to memory of 1508	3056	1W41I0.exe	97
PID 3056 wrote to memory of 1508	3056	1W41I0.exe	97
PID 732 wrote to memory of 824	732	E3O02.exe	98
PID 732 wrote to memory of 824	732	E3O02.exe	98
PID 732 wrote to memory of 824	732	E3O02.exe	98

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E3O02.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E3O02.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I0.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2E3402.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2E3402.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:4284

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2384

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3T66Z.exe

Filesize
2.4MB

MD5
5f8d1f0fe5ab539b6b5b64a2766fc2ea

SHA1
4a4f955b2cbb2a4df37f1aa1a427f19d44e5b6a6

SHA256
5cde1bd16e36839b1cd05cd5e190efc032153d5ef1ba7fb71d523b057e04c622

SHA512
8924cc4012e3c37b71f30c814f20bfc6e20a9f63c6851db82e4e4339c342d90e344b35b2c705714b8c9dcfbf841d7186367f2c44d470f2e3e69b84a706c4d6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E3O02.exe

Filesize
3.7MB

MD5
f86f1a4fd4fc5c11b8fcb7a0279035ad

SHA1
08c96084dc9d761abde2ec62784b79e110ec90bd

SHA256
23b37d291ca74c77caeec32ab6b55ffc25e76bfcfedb405677e991d1c514379f

SHA512
54928e84e92b9928d1d730ed376c5b0e59772aec12d498a8c29219d4789619297e91783e775f8e4b17bc0c6fa2c2ca63311fac101a23c5cc2c943d19816fc8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1W41I0.exe

Filesize
2.1MB

MD5
d20d9a5e4f0853793dd9c7a90105f2f4

SHA1
ec953a5f2a27b6178f71ed7cee64451590e0b29c

SHA256
eb789f1be52a42bd7f5a4d5f8a9d4a600ca704f363532b96e1b7fca6070d2a5b

SHA512
f023584838ea1923582304285c3af3baa0910f043bbe17b4ad478e40cb32af03e9e7d361093137755dfa5122c043e13913bf5e2001c6aafd0e42d2086a067296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2E3402.exe

Filesize
1.8MB

MD5
325ea0dbf8e9f35599f66df895f0db2b

SHA1
d016ec236ccf146317e3c8f7de1cce02ce266eaa

SHA256
115500a834eb13f212572640ebb9bbcc0c5801bd5eb307e2fa41656aa0983ae2

SHA512
dfd862a7355e9e8091128d974fbdee21e17e4e852d43474255033dcf46dd475bff3ec1564a20d732718ae633bc975c0f6ce9d70585989b9e82a06ffc464a2265

Download Submit
memory/824-40-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/824-44-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/824-45-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/824-33-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/824-38-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/824-36-0x0000000000B70000-0x000000000100A000-memory.dmp

Filesize
4.6MB

Download
memory/1508-53-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-50-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-37-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-39-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-57-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-56-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-43-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-29-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-46-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-34-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-49-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-48-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-47-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-55-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-54-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/1508-35-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/2384-52-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download
memory/3056-28-0x00000000005E0000-0x0000000000A9C000-memory.dmp

Filesize
4.7MB

Download
memory/3056-14-0x00000000005E0000-0x0000000000A9C000-memory.dmp

Filesize
4.7MB

Download
memory/4212-42-0x0000000000A20000-0x0000000000EDC000-memory.dmp

Filesize
4.7MB

Download