Resubmissions

04/05/2025, 17:44

250504-wbdvrax1hw 10

General

  • Target

    random.exe

  • Size

    2.9MB

  • Sample

    250504-y5rptafm3t

  • MD5

    434f9f760f3b7e44e6a15eb68c867882

  • SHA1

    8f95406c8e88493cae143df5649424027a35a774

  • SHA256

    18cca1b2fb73aab59c6d280c6226aa29082706f2ee8fe26bd9327a30197e0d44

  • SHA512

    cf5ce21ff904d0f8bf3344081c8f7f817d2ec80d126726312c94cfca31cf523ed136eaa282ab4258ca2b396c9c4d4c9c26668ba1c1978dc5cc8a424fbe37d561

  • SSDEEP

    49152:d6kh/83qaFgGd9oieNnuhQqsq29DxbG4kDgV0na8EXqd7:dJk3qaFgGd9oieNnuhQqpiG4kDgV0a8F

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://80.64.18.219/testmine/random.exe

Extracted

Family

amadey

Version

5.34

Botnet

8d33eb

C2

http://185.156.72.96

Attributes
  • install_dir

    d610cf342e

  • install_file

    ramez.exe

  • strings_key

    4a2b1d794e79a4532b6e2b679408d2bb

  • url_paths

    /te4h2nus/index.php

rc4.plain

Extracted

Family

lumma

C2

https://thinkellk.run/nyba

https://corjinalecza.net/lxaz

https://eczakozmetik.net/qop

https://orijinalecza.org/jub

https://tortoisgfe.top/paxk

https://keczamedikal.org/vax

https://orijinalecza.net/kazd

https://medicalbitkisel.net/juj

https://snakejh.top/adsk

https://vecturar.top/zsia

https://brandihx.run/lowp

https://viriatoe.live/laopx

https://exitiumt.digital/xane

https://opusculy.top/keaj

https://civitasu.run/werrp

https://scriptao.digital/vpep

https://praetori.live/vepr

https://rdisciplipna.top/eqwu

https://orjinalecza.net/lxaz

https://eczamedikal.org/vax

Targets

    • Target

      random.exe

    • Size

      2.9MB

    • MD5

      434f9f760f3b7e44e6a15eb68c867882

    • SHA1

      8f95406c8e88493cae143df5649424027a35a774

    • SHA256

      18cca1b2fb73aab59c6d280c6226aa29082706f2ee8fe26bd9327a30197e0d44

    • SHA512

      cf5ce21ff904d0f8bf3344081c8f7f817d2ec80d126726312c94cfca31cf523ed136eaa282ab4258ca2b396c9c4d4c9c26668ba1c1978dc5cc8a424fbe37d561

    • SSDEEP

      49152:d6kh/83qaFgGd9oieNnuhQqsq29DxbG4kDgV0na8EXqd7:dJk3qaFgGd9oieNnuhQqpiG4kDgV0a8F

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    • Lumma family

    • Modifies Windows Defender DisableAntiSpyware settings

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender TamperProtection settings

    • Modifies Windows Defender notification settings

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Enumerates processes with tasklist

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks