General
-
Target
2025-07-04_2a1d3d616af3aa22f279ef9ce7e3c4f8_amadey_black-basta_cova_cryptbot_elex_luca-stealer
-
Size
3.2MB
-
Sample
250704-p1f8vatl19
-
MD5
2a1d3d616af3aa22f279ef9ce7e3c4f8
-
SHA1
9ff2ed39b107e90bf6b57a335fbca752e401fb0c
-
SHA256
25fc172f4982a3344ec9b7008a6502cf8420ea4589d58e92079df2726e70a2df
-
SHA512
c3ed7658171c8836a38ffbffb463a1179935f0c0da4b836518de6e1f76af1d808390cc50e7dcb6b4bd0e0ff5f13c61238da41a7f6c8da5bace99110e24a8b4a3
-
SSDEEP
98304:FpdyFFzT3R1MOXthCGjM7tYJ6+fN04KQFo4ybh:DdyTHDFTTjMKJffN04KRvh
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_2a1d3d616af3aa22f279ef9ce7e3c4f8_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
2025-07-04_2a1d3d616af3aa22f279ef9ce7e3c4f8_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe
Resource
win11-20250619-en
Malware Config
Extracted
amadey
5.50
9fa1e2
http://176.46.157.50
-
install_dir
bd4cae89c3
-
install_file
suker.exe
-
strings_key
a27669e4fa4aae7e94baf28c7141a7c8
-
url_paths
/tu3d2rom/index.php
Extracted
asyncrat
Xchallenger | 3Losh
%#SOSO#%
maxo.4cloud.click:20100
AsyncMutex_ASS
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
vidar
14.4
af2fc86ef17a9327de4bf3768785d3ca
https://t.me/q0l0o
https://steamcommunity.com/profiles/76561199872233764
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/137.0.0.0 Safari/537.36 OPR/122.0.0.0
Extracted
lumma
https://rbmlh.xyz/lakd
https://ycvduc.xyz/trie
https://nbcsfar.xyz/tpxz
https://cbakk.xyz/ajng
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
-
build_id
5811dd1f4790044870b2e68218f8c519c31bd7253b
Extracted
xworm
66.63.187.164:8594
-
Install_directory
%Temp%
-
install_file
Firefox.exe
Extracted
quasar
1.4.1
Google Chrome
66.63.187.164:8596
c16b22a2-5069-46dc-a1ba-a8fc7e9317ce
-
encryption_key
A978BA54BE34046C0D3E3D447504B0C1FBA599C7
-
install_name
Jackes.exe
-
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
-
log_directory
Logs
-
reconnect_delay
5000
-
startup_key
Wave Browser
-
subdirectory
Wave Google
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
66.63.187.164:8595
svchost
-
reg_key
svchost
-
splitter
|Hassan|
Targets
-
-
Target
2025-07-04_2a1d3d616af3aa22f279ef9ce7e3c4f8_amadey_black-basta_cova_cryptbot_elex_luca-stealer
-
Size
3.2MB
-
MD5
2a1d3d616af3aa22f279ef9ce7e3c4f8
-
SHA1
9ff2ed39b107e90bf6b57a335fbca752e401fb0c
-
SHA256
25fc172f4982a3344ec9b7008a6502cf8420ea4589d58e92079df2726e70a2df
-
SHA512
c3ed7658171c8836a38ffbffb463a1179935f0c0da4b836518de6e1f76af1d808390cc50e7dcb6b4bd0e0ff5f13c61238da41a7f6c8da5bace99110e24a8b4a3
-
SSDEEP
98304:FpdyFFzT3R1MOXthCGjM7tYJ6+fN04KQFo4ybh:DdyTHDFTTjMKJffN04KRvh
-
Amadey family
-
Asyncrat family
-
Detect Vidar Stealer
-
Detect Xworm Payload
-
Lumma family
-
Njrat family
-
Quasar family
-
Quasar payload
-
Vidar family
-
Xworm family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Stops running service(s)
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
ConfuserEx .NET packer
Detects ConfuserEx .NET packer.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Authentication Process
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
6Credentials In Files
5Credentials in Registry
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
9System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Wi-Fi Discovery
1Virtualization/Sandbox Evasion
2