amadey | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Sharing

Copy URL

Twitter E-mail

General

Target

quarantine.7z
Size

55.3MB
Sample

250415-3bdy3sxyds
MD5

3bb1d70ec71b0a92e9739edee4e883d7
SHA1

028a58d221e65d7e95599f903a9352001d9f7ee1
SHA256

b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878
SHA512

11988c6dc6b060cd09d45aaaecd718d72e843e48606a5796d41cdb58fba5ebfd5144628da29c68c6b3e14ae943ea6c3d2982244ec3cf26a0e6a1b5f921d48bc8
SSDEEP

1572864:PPB4ejeeHwYuQ/HqaCRCuv3B3PenFUrE8NQPW:RywuwkCuJubW

Malware Config

Extracted

Family

limerat

Wallets

34oTgBswSRbYC4CZFC9TdmhEtC4CU2TDY7

Attributes

aes_key
1212
antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
delay
3
download_payload
false
install
true
install_name
Windows.exe
main_folder
AppData
pin_spread
true
sub_folder
\Security\
usb_spread
true

Extracted

Family

amadey

Version

5.34

Botnet

8ac6b9

http://185.215.113.59

Attributes

install_dir
f1e82329e5
install_file
namez.exe
strings_key
022d16de15289562e076160ac426da7d
url_paths
/Dy5h4kus/index.php

rc4.plain

Extracted

Family

lumma

https://dynamiczl.live/tgre

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://3lonfgshadow.live/xawi

https://xliftally.top/xasj

https://inighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://zestmodp.top/zeda

https://owlflright.digital/qopy

https://bardcauft.run/tured

https://2changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://9nighetwhisper.top/lekd

https://gclarmodq.top/qoxo

https://lyjawdedmirror.run/ewqd

https://nighetwhisper.top/lekd

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
download_payload
false
install
false
pin_spread
false
usb_spread
false

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Extracted

Family

quasar

Attributes

encryption_key
28FC4A95F224F2FFF41FECAA62178F6B0DF5F974
reconnect_delay
3000

Targets

- Target
  
  quarantine/07jGt0K.exe
- Size
  
  2.2MB
- MD5
  
  a9187bdd14994263a71df6391de8f2ec
- SHA1
  
  0dae6efc0a232f1eadbc9752f063ff2198658905
- SHA256
  
  ae3c79e6c2bdf029bb05fdd16b5279b6e47c782beee25bf89657e1e1382a8226
- SHA512
  
  1ba13176891feadf2fa5e0d60b9aa581270b56cafcfb2ad0d3a9d4a8ae27cb9d725ce3d0cf21d3a5bc69ca683d1c9577eb96ac454d41563a6fac49090bbfa8db
- SSDEEP
  
  49152:VHHiXaFbnwwQkcU4KtU6hBKiJvGnoLJGps6KxLJFWDvR+ACha:5OaFbnwvFKa09J+EJGps6oLmkAp
Score

10^/10

execution persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  quarantine/235T1TS.exe
- Size
  
  1.2MB
- MD5
  
  9d0b654f17466ee2eda9e03dd303812c
- SHA1
  
  312957b2937309721aef5a5945daafd2dfe0623c
- SHA256
  
  f98627e83fc643c88937ba13f628be9b9666c18aa10dbd279e1b8822d332880e
- SHA512
  
  48e7bacddcd04b8200bd20f03fd1e4618deb02fc616708a7e6d899a8071e493e7609ea1cc8ce86c17dacd2995879d9c3e58e6cf854ec07f4f25a1e7c34948b7c
- SSDEEP
  
  24576:2GkbQjI/z3YQE6eakkvEDiTZsM18DvlmpvRUtIguzz+6wzI2uTw:2Gkb6QBea3sDiVsMIsmtEzCzy
Score

10^/10

darkvision bootkit defense_evasion discovery execution persistence rat privilege_escalation spyware stealer
- DarkVision Rat
  DarkVision Rat is a trojan written in C++.
  rat darkvision
- Darkvision family
  darkvision
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral3 behavioral4
- Target
  
  quarantine/4CJvcqK.exe
- Size
  
  11.2MB
- MD5
  
  97ee0152c2a01b871e3d4913fbc7cb76
- SHA1
  
  7c2e0f2e13cb5d42ce60d4e8b068f9db56f658b2
- SHA256
  
  937da7b147671af79eeb861a1b84c72909c684d799c799b51f172a799f7f7b7d
- SHA512
  
  0dad5d84d379725bbfe4c7f8c7ebbacf90dd1bb4ac492e32fbd5f4350bb90b869e2cf26647d380f24b94ae59888c8d804e53eeaee84d064e013822e0908d597a
- SSDEEP
  
  49152:OBGhXfYqe6XLPUaGkkYp0cmnqrnaCdUb2Scpy854h3S7VNiFYNYgm1jQhww0SaI:df17fxnaCgSyhh31gJm1jQyw0VR5B
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  quarantine/CBOZ4ZK.exe
- Size
  
  3.7MB
- MD5
  
  76ca7e7638670b4dd35fe71bf685bca5
- SHA1
  
  6c6653527ea165917f885fc31cc2e6f6a4022d58
- SHA256
  
  4c9905293811b4b96ebf835995398546a9dd899f171fbf40285dc93884846d82
- SHA512
  
  3d40a6e86b8438ab1e71a7a8c6860508e32a531a0c54fd5bb2072537a435d3698e564a64bc3ab9a2e87f93cbed17633950c3dc9c17d70a2738a878d3a3fbb467
- SSDEEP
  
  98304:kNlHTnyU8Jhf78/ltPw1dTnyU8Jhf78/ltPw1W:KHChj8/fwHChj8/fw8
Score

10^/10

quasar discovery spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  quarantine/Energy.exe
- Size
  
  1.3MB
- MD5
  
  27316ad140705b91d9652de8e59cdbf5
- SHA1
  
  c86f60b20034136a9ce76c03e79e35bbf8c3e0cc
- SHA256
  
  7ba4a5b16adcf81b4f4f792db0d5df6300e5cd10af300eb021a8bffbeb0445f2
- SHA512
  
  f76425bb7e5a9d3bfd6075d99150807bd88cbfe52bc1390a33c710a9513247726a2e2460b5e34dc751e58069271139e7c8f84c771d657b4e1b16256c6cddfe89
- SSDEEP
  
  24576:a5jJoCft46wxoAM+hYP2K5rP6wxoAM+hYP2K5rd:aNlft45CD2K5rP5CD2K5rd
Score

10^/10

lumma discovery spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  quarantine/GPSHees.exe
- Size
  
  8.7MB
- MD5
  
  01de1a88bc8d6f160e83fcef880aa862
- SHA1
  
  7a25ae98fa37f8e530d6f0d83587c78768f68fe0
- SHA256
  
  fda6a7fbc787ee0d370f4eec0fb7f8cb43e85c09b4a8c48d73555c3de1b7ed63
- SHA512
  
  552187bcc2adda2133135a8cdf036cd0ba8d16d921d3d8c2014bea5807bab719a69df2fc068f20a0c699e10ce6668a529f7d55ce8c8c0999d86b752267cd5714
- SSDEEP
  
  196608:hQ4w8JPHv6Mi7OEaQF8zbI3Ddz+e6b9yK3SiRFhCac5E2z:hUeaMi7Za2I0Jzr4xvCaGEM
Score

10^/10

discovery
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  quarantine/VcYJXcL.exe
- Size
  
  13.5MB
- MD5
  
  a42a7864ee588e5627a17cc5b36a8cae
- SHA1
  
  3713244300e87a512ad10382571c98a08fd13155
- SHA256
  
  3d4915f94462dda1b3af5ca1ee39740e14644807fb743403e55c7b9a92101b7f
- SHA512
  
  2b86e5a3d0dcea2aa30731edbc1bf30251b1f5c0ebb24fcee772f8c9f4b0c1d5e11b8ebc633b4c4fd15f301dba0caf67114502e142efb5af3789114dd1a4490e
- SSDEEP
  
  393216:7lzh+J9e0FamFZOt7NUIaaHXDUJFbSflHjB0DjY31Z1CPwDv3uFh:7lz2s0FfZ2DUJFbSflHjB0Djm
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14
- Target
  
  quarantine/aUdWe9O.exe
- Size
  
  1.3MB
- MD5
  
  af953244c1d9840f8049a19a63232100
- SHA1
  
  92187b57db2988492b8dc18e18cf00279c266798
- SHA256
  
  25b780839a8b5e6db7aeab895ab4d387a260761377d931d71e341dfa72ff5837
- SHA512
  
  465016f714fa3e8532e21c3a189cfe9bc54fd074d5b35dc759040aa1b40eab2b2d1ed5bd343d8b69e225961151537d1fe871c98d39ce50f3c05e3c511875165e
- SSDEEP
  
  24576:U5jJoCft0kACbfFzjtmLrE7D3gOLJvJjkACbfFzjtmLrE7D3gOLJvJP:UNlft0bCbNzjWkbgIfbCbNzjWkbgIL
Score

10^/10

lumma discovery spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  quarantine/eLa1r6q.exe
- Size
  
  28KB
- MD5
  
  15e27b66a793a187332608a4308395db
- SHA1
  
  3d35e1afd2ec15bfe99421b16a564b85f80a1a21
- SHA256
  
  c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f
- SHA512
  
  2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4
- SSDEEP
  
  768:JpW26eWrwugABZ445NwzQbF45rXupSUj:Jp/WrwuVrFkzAFkXCSU
Score

10^/10

limerat parallax discovery rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Limerat family
  limerat
- Parallax family
  parallax
- ParallaxRat
  ParallaxRat is a multipurpose RAT written in MASM.
  rat parallax
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Legitimate hosting services abused for malware hosting/C2
behavioral17 behavioral18
- Target
  
  quarantine/fLoJWdi.exe
- Size
  
  1.3MB
- MD5
  
  def40500470336b27f9b4b4ce5591312
- SHA1
  
  a28656a4df3301447585db79bc6f2e1dcc165c11
- SHA256
  
  b82c86e99eedead416273931a6ddc87cc67886d440508313e09862e1f9535535
- SHA512
  
  fc2f46bf3357b7610511e1d3da625deacc37420d9804dcacb5736550623ea956c37fda399e1a71f1d88d079b6b70fb6ed41921ca067e33b919ff34372d08679f
- SSDEEP
  
  12288:bOMhuQU6LugAiAe4lo8ZlWgJIC+CfkMv5iavBwmdiwQN60ZgAr6O/hqu7qSzmFm7:G5jJoCftHQQ0ZL5qbiQQ0ZL5qb7
Score

10^/10

lumma discovery spyware stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  quarantine/fyBqr89.msi
- Size
  
  6.2MB
- MD5
  
  69d4092b3524bc2bff4e5c73509c3eb9
- SHA1
  
  43cb58b5635aea617dd93565c1baa15fde3eb0c0
- SHA256
  
  23662f3ca1692692dc1f090acaf814695eddbbf5dba15fd7b2c95f8ef6c47432
- SHA512
  
  2085868cba95b6cf87f1c47efff4b95ce930c3ac2706cecb4f8d66b5611c7af11423a9397d17ad581bd9769143c88010f4b278fa332c8655978aaa5d4f34eaff
- SSDEEP
  
  196608:kCLvDC8Y0BDC2zU0jRhsk2/0ReXyhNHnIy9c:1LC8dB3fjRhPhReXyHIy
Score

9^/10

defense_evasion discovery persistence privilege_escalation
- Looks for VirtualBox drivers on disk
  defense_evasion
- Looks for VMWare drivers on disk
  defense_evasion
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral21 behavioral22
- Target
  
  quarantine/main.exe
- Size
  
  5.8MB
- MD5
  
  76eac6fdb7196c67d98b8adfd58c8236
- SHA1
  
  5a3336cb4ed8ce34a261d82abc9a6f9c91abe8e1
- SHA256
  
  5c965130ead30c0baf74b086fe097b657cd4f5e34b4a2b2ef553912b10796c41
- SHA512
  
  0a080cfc7ad46f62947f141d38317ac8b27776e7f702f42bb3051c8a3a60bca4fe11fb0ab372ae12fee2ad8f825134ac3091df113df0e4df7d10c7eb1275863e
- SSDEEP
  
  98304:5F2AhEeqTeJBdYVgSAtvSYEnNpve6alcr+/n6qSIjVs5WLFu:rCnTgqaSAtvsnvz/K1a5W
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  quarantine/random.exe
- Size
  
  415KB
- MD5
  
  3ec886e81b3a5649ff9dac6d88baba96
- SHA1
  
  9cfc98d1e96ddd9c45c157969a6a50221af62a2b
- SHA256
  
  ecc4cde448fa9b09bffc77555b878e1656ac4e5c6c4218b08078ee85b1b8f8d5
- SHA512
  
  3f7b22b744c11440ea58fd2963b4b306dadc601a1ecc65fc6f4ce48a3cb8d189a7467fa2d0220c7d2623668de15c2caf8c2e221412be80c065f18ca83dfb1217
- SSDEEP
  
  6144:tiUuGdolfFd313lcnGpPpnbJoHtbspmZfkCw3uWgGUS/T+WiU+9GTA/nw4AO2i2J:tiUuGdolfFd1lGkpbCVkCweWgB7A99j
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral25 behavioral26
- Target
  
  quarantine/random_2.exe
- Size
  
  1.7MB
- MD5
  
  35bd4798817140da48087770524d06fa
- SHA1
  
  a0412fee3d68987542842d77660e7da8312bcf37
- SHA256
  
  63f67e5e7f197c7f736ab4b42788ac77540e46053f047c7b4b5c4e84955128c5
- SHA512
  
  cd29b53d18478575c99d929c18f75d09f4df335a9c32133dab7ec5cddd12627e8f77c30307bf64cc57a9e8dea951ebbacab7e0cfb4f9ead5d6ee97a41d2249a5
- SSDEEP
  
  49152:3p7Lg6l71uKVZn0o6FoPHxWVN0mmlwJO7ABaJ:3p7Lt1uW0o6ixIN0ZwJAAY
Score

10^/10

healer defense_evasion discovery dropper evasion trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Healer family
  healer
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Windows security modification
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  quarantine/s8Sj4vA.exe
- Size
  
  5.4MB
- MD5
  
  1be0e0db93388bd4ac29fc850a122a2e
- SHA1
  
  91532349e2c23400b0ec0f2987713d49b8f3af24
- SHA256
  
  d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe
- SHA512
  
  e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681
- SSDEEP
  
  98304:q6RUAPvIw0NUBy6EzhQzCWyLt6Tike/E4pCOqn9VdsWAF1t1XqsVUzy:q6NPvIPU/CWGt6+keNpCOqn9A3lhv
Score

7^/10

discovery persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  quarantine/t98WFZ1.exe
- Size
  
  84KB
- MD5
  
  46fa2acd78224bd6a0b19d075efd78c2
- SHA1
  
  2ded48b4e7322c95a94c4a0a32cd55dcdb7f2fdf
- SHA256
  
  f87b5cf691fe69fcad610d5af5d75d119395024580bd7b5a064f8f0399f8903e
- SHA512
  
  c2690f4e94aca14ff2ce18aed4451ec212d9010780e2c70714b73b6bf3d8b2409fde38ac000a9d3c9db861b926f4ba48cfde1c0590c8ffa626f539ae321affa8
- SSDEEP
  
  1536:lqheMfnlkwr019FmLHOaCbnGrNi2RZEKH4H+6WfDvtOO5RsmXjFneY:AtKBzwLHNCbnGx1ZbDtOOvTN
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral31 behavioral32