ioc[.]one - OSINT Cyber Threat Intelligence Database

LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT

Tags

cmtmf-attack-pattern:	Application Layer Protocol Masquerading Obfuscated Files Or Information Process Injection
country:	Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Model Software Discovery - T1418 Application Layer Protocol - T1437 Data From Local System - T1533 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Hardware - T1592.001 Ingress Tool Transfer - T1544 Input Capture - T1417 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Msbuild - T1127.001 Phishing - T1660 Phishing - T1566 Process Injection - T1631 Reflective Code Loading - T1620 Registry Run Keys / Startup Folder - T1547.001 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Discovery - T1518 Virtualization/Sandbox Evasion - T1497 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Browser Extensions - T1176 Credential Dumping - T1003 Data From Local System - T1005 Deobfuscate/Decode Files Or Information - T1140 File And Directory Discovery - T1083 Remote File Copy - T1105 Input Capture - T1056 Masquerading - T1036 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Process Injection - T1055 Query Registry - T1012 Registry Run Keys / Start Folder - T1060 System Information Discovery - T1082 Windows Management Instrumentation - T1047 User Execution - T1204 Masquerading User Execution

Show in Graph

Common Information

Type	Value
UUID	3e9f559b-e7d4-4c1e-b044-9cdee7fc63f5
Fingerprint	ddd46a77a763af8e
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 11, 2023, midnight
Added to db	Oct. 24, 2023, 1:15 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT
Title	LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT
Detected Hints/Tags/Attributes	131/4/92

Source URLs

	Redirection	Url
Details	Source	https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/

URL Provider

Details	Provider	Source level domain
Details	cyble.com	cyble.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	e-r1-setup-password-123.zip
Details	Domain	1	exitlife.xyz
Details	Domain	3	africatechs.com
Details	Domain	1	patriciabono.com
Details	Domain	3	enfantfoundation.com
Details	Domain	1	fuji-iasi.ro
Details	Domain	1	earthqik.co
Details	Domain	1	silversoft.in
Details	Domain	1	tbmcoats.com
Details	Domain	1	aviangas.co.ke
Details	Domain	911	any.run
Details	File	2	newest_setup_123_useas_passkey.zip
Details	File	1	latest_setup_use__password__224466.zip
Details	File	1	latest_setup_use_224466_as_passcode.zip
Details	File	1	new_pc_setup_password_useas_224466.zip
Details	File	1	e-r1-setup-password-123.zip
Details	File	1	active_setup_113355_useas_passkey.zip
Details	File	1	setup_123_passwords_open_app.zip
Details	File	2	passw0rdz_113355_open_setup_app.zip
Details	File	1	active_setup_with_224466_password.zip
Details	File	208	setup.exe
Details	File	103	regasm.exe
Details	File	1	c:\users\user\appdata\local\temp\hhwjilxtgukpvvhbpo.exe
Details	File	1	c:\users\user\videos\edddegyjjykj.exe
Details	File	1	edddegyjjykj.exe
Details	File	1	c:\users\user\appdata\local\temp\1000349051\brr.exe
Details	File	1	brr.exe
Details	File	6	software.txt
Details	File	14	system.txt
Details	File	1204	index.php
Details	File	149	msbuild.exe
Details	md5	1	507bddfabd74a3d024b2ad5f67d666ea
Details	md5	1	952d825a264745bb52b6977ba5983568
Details	md5	1	f290ed868caae994bbfae1b63aca1d28
Details	sha1	1	78eac92e0040e033406e6786b58b8a367fe171fa
Details	sha1	1	627a0a841c2fe194dd54f9ec6b0c1231d7da135f
Details	sha1	1	5ac7b60e56281dc0c72f7c1125b165867df56ed9
Details	sha256	1	7b5500ada0bf017d0bac84b181076ebfd7220693748b9ca634f06271837edfb7
Details	sha256	1	f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144
Details	sha256	1	d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c
Details	sha256	1	501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4
Details	sha256	1	ca21c5b129c001c2b51359d5f74c0a99667028810623b779190b13f0de86369e
Details	sha256	1	929f7b467d96d8d9c73bfa9b8adf758c1b3993c9438f23368c69e1201beea622
Details	sha256	1	515ab212127cc722326043d77dda60943145798bfe8b17178937a254989367f1
Details	sha256	1	0d8dee5e24500219f037e673324479f22cc5649c2aafdfe47b35375b6b76e60b
Details	sha256	1	e0ac5909e219d4527691ea695185313376a0ccb075907b1deecd4e2aeae42cba
Details	sha256	1	9252e999b76b9628ad0942df2649e1203ca078d1b45dab6a8f1ede3e22b99625
Details	sha256	1	51cb8641ed75c5037fa657ed2aa33c71350e01f5f949054f17582ca41c260280
Details	sha256	1	f819a1d2234c2755a8dc844f89e765de56c1c927f3964a1453961cec4fd38bae
Details	sha256	1	0539d46a6e61dd3ce32a4b41c0554f925f4b26054c49451accec7ccad0409846
Details	sha256	1	2c256a4a1ac022bcd3784d19e66934056015e20b49d58238ce4f3dfb37bfd98d
Details	sha256	1	a3ceda3ef0a7b72145124def334dd3fa337614a1170960826016996151188fc5
Details	sha256	1	033cafb9fcd3d50d858164c117ee2a1c9e7fe95b4d027315bc9d1186e655d583
Details	sha256	1	81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2
Details	sha256	1	ffd45c2b562d30113cb9a4823025a9a162503017e9d81fd96ddb5b98e5bb89bd
Details	sha256	1	fb553e12381d42a612c713968078424201794a35fd13c681ae7faa77bf18e553
Details	sha256	1	641710df66c792439f85b79879a268caa17b78ea0bf6924369fa6131fda01cd5
Details	sha256	1	a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02
Details	sha256	1	a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341
Details	sha256	1	75e64bd57bfaad471d202d46b726473ccf2182d9d511a32304903324648a90b1
Details	IPv4	2	45.9.74.182
Details	IPv4	1	95.143.190.57
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	91	T1620
Details	MITRE ATT&CK Techniques	289	T1003
Details	MITRE ATT&CK Techniques	152	T1056
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	141	T1518.001
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	492	T1105
Details	Url	1	http://exitlife.xyz/c2sock
Details	Url	1	http://africatechs.com/amdaygo.exe
Details	Url	1	http://45.9.74.182/b7djsdcpcz/index.php
Details	Url	1	http://patriciabono.com/brr.exe
Details	Url	3	http://enfantfoundation.com/amday.exe
Details	Url	1	http://fuji-iasi.ro/brr.exe
Details	Url	1	https://earthqik.co.za/br.exe
Details	Url	1	http://silversoft.in/br.exe
Details	Url	1	http://tbmcoats.com/brrr.exe
Details	Url	1	http://aviangas.co.ke/brrrras.exe
Details	Yara rule	1	rule LummaC_Stealer { meta: author = "Cyble" description = "Detects LummaC Stealer Files" date = "2023-08-10" os = "Windows" threat_name = "LummaC Stealer" scan_type = "Memory" severity = 100 reference_sample = "a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02" strings: $a = "/c2sock" ascii wide $b = "TeslaBrowser" ascii wide $c = "Software.txt" ascii wide $d = "System.txt" ascii wide $e = "/c2conf" ascii wide condition: all of them }
Details	Yara rule	1	rule AmadeyBot { meta: author = "Cyble" description = "Detects Amadey Bot Files" date = "2023-08-10" os = "Windows" threat_name = "Amadey Bot" scan_type = "Memory" severity = 100 reference_sample = "a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341" strings: $a = "/index.php" ascii wide $b = "\\MsBuild.exe" ascii wide $c = "id=" ascii wide $d = "&av=" ascii wide $e = "&pc=" ascii wide $f = "&un=" ascii wide condition: all of them }