Key Takeaways
- The blog delves into a new infection approach to disseminating the SectopRAT final payload.
- Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.
- The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory. Upon being started, this LNK file triggers the execution of the duplicated instance of the Amadey.
- Execution of the Amadey bot retrieves the SectopRAT payload through downloading, subsequently running within the victim’s system.
Executive Summary
LummaC, an information stealer, is being distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums. This malware is designed to pilfer sensitive data from infected devices. Among the data targeted are cryptocurrency wallets, browser extensions, two-factor authentication codes, and various files. The Threat Actors (TAs) accountable for this malware have consistently introduced improved iterations of LummaC. This new iteration boasts several additional features, including the ability to load other malware files (introduced in version 19.07) while the main information-stealing malware is executing on the victim’s system, as mentioned in the image below.
 100vw, 746px” data-recalc-dims=”1″><figcaption id=)
Figure 1 – New Loader feature of LummaC stealer mentioned in the TA’s Telegram channelCyble Research & Intelligence Labs (CRIL) has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer, as illustrated in the figure below.
 100vw, 753px” data-recalc-dims=”1″><figcaption id=)
Figure 2 – Infection chainDetailed information about these techniques can be discussed in the Technical Analysis section.
Initial Infection
In most cases, the LummaC Stealer has been disseminated through phishing websites that impersonate genuine software sources, as well as via spear-phishing emails.
Historically, the LummaC stealer distributed through deceptive websites like counterfeit Microsoft Sysinternals Suite. It also aimed at YouTubers by employing spear-phishing emails and was further disseminated by masquerading as illicit software cracks.
Technical Analysis
We’ve encountered several ZIP files in the wild that seem to contain the LummaC stealer malware. It’s possible that these files are being distributed through a YouTube campaign disguised as software setup files. A few examples of these filenames include:
• Newest_Setup_123_UseAs_PassKey.zip
• Latest_Setup_Use__PassWord__224466.zip
• Latest_Setup_Use_224466_As_PassCode.zip
• Latest_Setup_Use__PassWord__224466.zip
• New_PC_Setup_PassWord_UseAs_224466.zip
• $#E-R1-Setup-Password-123.zip
• Active_Setup_113355_UseAs_PassKey.zip
• Setup_123_Passwords_Open_App.zip
• Passw0rdz_113355_Open_Setup_App.zip
• Active_Setup_With_224466_PassWord.zip
These files appear to have been deliberately named in a way that could attract users, potentially tricking them into running the contained malware. In this technical analysis, we analyzed a sample named “Active_Setup_With_224466_PassWord.zip.”
The SHA-256 hash of this ZIP archive file is 7b5500ada0bf017d0bac84b181076ebfd7220693748b9ca634f06271837edfb7.
The image below illustrates the contents of a ZIP archive featuring two directories named “Common Files” and “HMService.” These directories encompass numerous legitimate DLL files, while the ZIP archive itself contains an executable called “Setup.exe.” Importantly, the “Setup.exe” serves as a payload for the LummaC Stealer executable.
 100vw, 800px” data-recalc-dims=”1″><figcaption id=)
Figure 3 – Content of ZIP archive fileThe LummaC Stealer file (“Setup.exe,”), which is identified by its SHA256 hash: f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144. This particular binary file is a 32-bit GUI-based .NET Reactor executable.
LummaC Stealer
LummaC Stealer is malware designed to gather sensitive information from compromised devices illicitly. This includes a variety of data, such as cryptocurrency wallets, browser extensions, two-factor authentication codes, and files. LummaC Stealer is offered as a service by its creators, available on underground forums and Telegram channels primarily used by Russian speakers since at least August 2022. The seller of this software has been actively marketing LummaC Stealer since April 2022, releasing new versions and responding to questions on underground forums, Telegram channels, and a dedicated website.
According to the information provided by TAs, LummaC2 represents a next-gen stealer with an impressive success rate. Notably, it operates effectively even on clean systems, devoid of any dependencies whatsoever. Its key features include server-based log decryption. LummaC2 specializes in pilfering data from Chromium and Mozilla-derived browsers, encompassing about 70 browser-based cryptocurrencies and 2FA extensions. The toolkit encompasses a non-resident Loader, a dynamic low-level file grabber, and the latest innovation, the BINARY MORPHER.
When the “Setup.exe” is executed, it initiates the process of injecting the malicious LummaC Stealer content into the memory of “RegAsm.exe”, as shown below.
 100vw, 1093px” data-recalc-dims=”1″><figcaption id=)
Figure 4 – LummaC stealer process treeOnce successfully installed on a targeted system, LummaC Stealer orchestrates covert operations to collect important system details, such as operating system version, hardware identifiers, CPU specifications, RAM details, screen resolution, and system language. With this information, the malware extracts sensitive data from designated applications, concentrating on web browsers, cryptocurrency wallets, two-factor authentication extensions, and others.
The figure below displays memory content within RegAsm.exe, containing strings associated with the URL of the LummaC Stealer’s command-and-control server.
 100vw, 619px” data-recalc-dims=”1″><figcaption id=)
Figure 5 – LummaC C&C strings present in RegAsm memoryLummaC Stealer’s impact is significant, spanning various web browsers such as Chrome, Mozilla Firefox, Microsoft Edge, and others. Within these environments, the stealer gains access to browsing histories, internet cookies, login details, personal data, credit card information, and other valuable data.
After gathering all the sensitive information from the targeted system, the stealer encrypts the collected data and sends it to the C&C server, as depicted in the image below.
- hxxp[:]//exitlife[.]xyz/c2sock
 100vw, 1195px” data-recalc-dims=”1″><figcaption id=)
Figure 6 – LummaC C&C communicationCRIL has already published a comprehensive blog post offering a detailed examination of LummaC Stealer. The blog can be accessed here.
Furthermore, the LummaC Stealer retrieves the Amadey bot malware by downloading it from the following URL, as depicted in the below figure.
- hxxp[:]//africatechs[.]com/Amdaygo[.]exe
 100vw, 759px” data-recalc-dims=”1″><figcaption id=)
Figure 7 – Presence of Amadey payload URL in LummaC memoryAmadey Bot
Amadey Bot is a type of malware that was identified in 2018. It can carry out tasks like exploring compromised systems, gathering data, and loading additional malicious payloads. During its early stages, it was disseminated through exploit kits. TAs used it to introduce different types of malware, including the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan (RAT). In 2022, associates linked to the LOCKBIT group employed the Amadey bot to distribute ransomware to their targets.
The Amadey bot, once retrieved by the LummaC Stealer, is saved and executed within the Temp directory with the below-specified filename:
- C:UsersuserAppDataLocalTemphhwjilxtgukpvvhbpo.exe
The Amadey bot is a 32-bit GUI type .NET Reactor executable with sha256 d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c.
After being executed, the Amadey malware copies itself to the following location and executes it.
- C:UsersuserVideosedddegyjjykj.exe
Additionally, it creates an LNK file that, when clicked, executes the dropped copy of itself “edddegyjjykj.exe” file. This LNK file is dropped into the below startup folder location to maintain persistence.
- C:UsersuserAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupedddegyjjykj.lnk
During the execution, Amadey establishes communication with its C&C server, regularly transmitting system details such as OS version, architecture, username, installed antivirus software, etc. Additionally, it queries the server to receive instructions. The primary feature of Amadey is its capability to deploy other payloads to all compromised computers or selectively to those targeted by the malware.
The below figure illustrates the malware sending system information to the C&C server through the following URL:
- hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php
 100vw, 974px” data-recalc-dims=”1″><figcaption id=)
Figure 8 – Amadey exfiltrationCRIL has previously released an extensive blog post that provides an in-depth analysis of Amadey Bot. It can be accessed here.
Moreover, the malware downloads an additional malicious payload from the following URL, as mentioned in the figure below.
- hxxp[:]//patriciabono[.]com/BRR[.]exe
 100vw, 1200px” data-recalc-dims=”1″><figcaption id=)
Figure 9 – Amadey C&C communicationThe image below depicts the malware’s memory content, including strings related to the Amadey bot’s C&C server, as well as the URL for the SectopRAT payload.
 100vw, 876px” data-recalc-dims=”1″><figcaption id=)
Figure 10 – Presence of SectopRAT payload URL in Amadey memorySectopRAT
SectopRAT (aka Arechclient) is a Remote Access Trojan (RAT) built using the .NET compiler. It boasts a wide array of functionalities, including the pilfering of browser data and cryptocurrency wallet details. It can establish a concealed secondary desktop, which it uses to oversee and manipulate browser sessions. Notably, SectopRAT is equipped with Anti-VM and Anti-Emulator mechanisms intended to complicate malware analysis. These techniques alter the malware’s behavior within environments designed for analysis, making it challenging to discern its true malicious nature.
After being downloaded by Amadey, the SectopRAT is stored and executed in the Temp directory using the below folder and filename:
- C:UsersuserAppDataLocalTemp1000349051BRR.exe
The SectopRAT is a 32-bit executable, protected using the Themida packer, and its SHA256 is 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4.
Once the “BRR.exe” is executed, the malware begins scanning through the target system’s directories. It aims to retrieve sensitive data from files such as “Cookies,” “Local State,” “Login Data,” and “Web Data.” These files are sourced from a diverse array of over 35 web browsers, gaming platforms, and other software applications that have been installed on the compromised system.
The following figure illustrates the browsers, games, email clients, and other software that the malware focuses on to extract sensitive information.
 100vw, 652px” data-recalc-dims=”1″><figcaption id=)
Figure 11 – SectopRAT target application list to steal sensitive informationFurthermore, it can steal important details from various cryptocurrency wallets such as Atomic, Exodus, Electrum, and Daedalus Mainnet. The malware has the capability to not only access cryptocurrency wallets through specific directories but it can also retrieve data from crypto wallet browser extensions, as mentioned in the table below.
| ckpaelocniggkheibcacecnmmlmeodfa | CryptoBit |
| ibnejdfjmmkpcnlpebklmnkoeoihofec | TronLink |
| fhbohimaelbohpjbbldcngcnapndodjp | Binance Wallet |
| nkbihfbeogaeaoehlefnkodbefgpgknn | MetaMask |
SectopRAT connects to the C&C server for communication using the below IP:Port,
- 95[.]143[.]190[.]57:15648
The below image depicts the activity associated with the initialization string. This string acted as a signal that the encryption status for the malware’s operations had been switched to “on” within the compromised system.
 100vw, 854px” data-recalc-dims=”1″><figcaption id=)
Figure 12 – SectopRAT memory stringsFigure 12 – SectopRAT memory strings
Conclusion
The deliberate introduction of multiple malware strains strategically enhances the capabilities and control of the threat actors (TAs) over the compromised system. This integration empowers them to carry out a diverse range of malicious activities, starting from the initial breach and extending to data extraction and the potential for remote control access. Through these intricate maneuvers, the likelihood of evading detection is heightened, allowing for a prolonged presence within the system and effectively achieving their malicious goals.
The most recent iteration of LummaC stealer now possesses the capability to load additional malware into the targeted system. In this particular campaign, LummaC stealer is utilized to retrieve and install the Amadey bot, recognized for its tasks involving system assessment, data theft, and the deployment of supplementary malicious payloads. Subsequently, the Amadey bot is executed to fetch SectopRAT, a .NET Remote Access Trojan recognized for its diverse functionalities, including various undetected methods.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Implement sophisticated email filtering solutions to detect and prevent spam, phishing attempts, and malicious emails.
- Refrain from accessing links and attachments from unfamiliar or untrusted sources. Always confirm the credibility of the sender before engaging with links or attachments
- Download and install software applications solely from reputable and well-established sources. Avoid obtaining software from online sources that lack credibility or verification.
- Install a reliable antivirus and comprehensive internet security suite on all devices. Regularly update and scan for potential threats to ensure ongoing protection.
- Utilize URL filtering tools to block access to known malicious websites and domains. Prevent users from inadvertently downloading malware from dangerous URLs.
- Conduct periodic cybersecurity training sessions for employees. Educate them about the latest threats, phishing tactics, and the risks of email attachments and links.
- Emphasize the importance of not downloading or executing files from unknown sources. Raise awareness about the potential consequences of interacting with suspicious content.
- Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1047 |
User Execution Windows Management Instrumentation |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1497 T1027 T1562T1027.002T1140 T1620 |
Virtualization/Sandbox Evasion Obfuscated Files or Information Disable or Modify ToolsSoftware Packing Deobfuscate/Decode Files or Information Reflective Code Loading |
| Credential Access | T1003 T1056 |
OS Credential Dumping Input Capture |
| Discovery | T1057 T1012 T1082 T1083 T1518.001 |
Process Discovery Query Registry System Information Discovery File and Directory DiscoverySecurity Software Discovery |
| Collection | T1005 | Data from Local System |
| C&C | T1071 T1573 T1105 |
Application Layer Protocol Encrypted Channel Ingress Tool Transfer |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type |
Description |
| 507bddfabd74a3d024b2ad5f67d666ea 78eac92e0040e033406e6786b58b8a367fe171fa f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144 |
MD5
SHA1 SHA256 |
LummaC Stealer exe |
| 952d825a264745bb52b6977ba5983568 627a0a841c2fe194dd54f9ec6b0c1231d7da135f d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c |
MD5
SHA1 SHA256 |
Amadey Bot exe |
| f290ed868caae994bbfae1b63aca1d28 5ac7b60e56281dc0c72f7c1125b165867df56ed9 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4 |
MD5
SHA1 SHA256 |
SectopRAT exe |
| hxxp[:]//exitlife[.]xyz/c2sock | URL | LummaC stealer C&C |
| hxxp[:]//africatechs[.]com/Amdaygo[.]exe | URL | Amadey Payload URL |
| hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php | URL | Amadey C&C |
| hxxp[:]//patriciabono[.]com/BRR[.]exe | URL | SectopRAT Payload URL |
| 95[.]143[.]190[.]57:15648 | IP:Port | SectopRAT C&C |
| ca21c5b129c001c2b51359d5f74c0a99667028810623b779190b13f0de86369e
929f7b467d96d8d9c73bfa9b8adf758c1b3993c9438f23368c69e1201beea622 515ab212127cc722326043d77dda60943145798bfe8b17178937a254989367f1 0d8dee5e24500219f037e673324479f22cc5649c2aafdfe47b35375b6b76e60b e0ac5909e219d4527691ea695185313376a0ccb075907b1deecd4e2aeae42cba 9252e999b76b9628ad0942df2649e1203ca078d1b45dab6a8f1ede3e22b99625 51cb8641ed75c5037fa657ed2aa33c71350e01f5f949054f17582ca41c260280 f819a1d2234c2755a8dc844f89e765de56c1c927f3964a1453961cec4fd38bae |
SHA256 | Similar LummaC Stealer exe files |
| 0539d46a6e61dd3ce32a4b41c0554f925f4b26054c49451accec7ccad0409846 2c256a4a1ac022bcd3784d19e66934056015e20b49d58238ce4f3dfb37bfd98d |
SHA256 | Similar Amadey exe files |
| a3ceda3ef0a7b72145124def334dd3fa337614a1170960826016996151188fc5
033cafb9fcd3d50d858164c117ee2a1c9e7fe95b4d027315bc9d1186e655d583 81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2 ffd45c2b562d30113cb9a4823025a9a162503017e9d81fd96ddb5b98e5bb89bd 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4 fb553e12381d42a612c713968078424201794a35fd13c681ae7faa77bf18e553 641710df66c792439f85b79879a268caa17b78ea0bf6924369fa6131fda01cd5 |
SHA256 | Similar SectopRAT exe files |
| hxxp://enfantfoundation[.]com/amday[.]exe | URL | Similar AmadeyPayload URL |
| hxxp://fuji-iasi[.]ro/BRR[.]exe
hxxps://earthqik[.]co[.]za/BR[.]exe hxxp://silversoft[.]in/BR[.]exe hxxp://tbmcoats[.]com/BRRR[.]exe hxxp://aviangas[.]co[.]ke/BRRRRAS[.]exe |
URL | Similar SectopRAT Payload URL |
ET Rules
| Malware | ||
| 2046637 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt | LummaC Stealer |
| 2039423 | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M1 | |
| 2043206 | ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 | |
| 2039425 | ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup | |
| 2045751 | ET MALWARE Win32/Amadey Bot Activity (POST) M2 | Amadey Bot |
| 2045752 | ET MALWARE Win32/Amadey Payload Request (GET) | |
| 2044623 | ET MALWARE Amadey Bot Activity (POST) | |
| 2044695 | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 | |
| 2044696 | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 |
YARA Rules
rule LummaC_Stealer
{
meta:
author = “Cyble”
description = “Detects LummaC Stealer Files”
date = “2023-08-10”
os = “Windows”
threat_name = “LummaC Stealer”
scan_type = “Memory”
severity = 100
reference_sample = “a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02”
strings:
$a = “/c2sock” ascii wide
$b = “TeslaBrowser” ascii wide
$c = “Software.txt” ascii wide
$d = “System.txt” ascii wide
$e = “/c2conf” ascii wide
condition:
all of them
}
rule AmadeyBot
{
meta:
author = “Cyble”
description = “Detects Amadey Bot Files”
date = “2023-08-10”
os = “Windows”
threat_name = “Amadey Bot”
scan_type = “Memory”
severity = 100
reference_sample = “a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341”
strings:
$a = “/index.php” ascii wide
$b = “MsBuild.exe” ascii wide
$c = “id=” ascii wide
$d = “&av=” ascii wide
$e = “&pc=” ascii wide
$f = “&un=” ascii wide
condition:
all of them
}
rule SectopRAT
{
meta:
author = “Cyble”
description = “Detects SectopRAT Files”
date = “2023-08-10”
os = “Windows”
threat_name = “SectopRAT”
scan_type = “Memory”
severity = 100
reference_sample = “75e64bd57bfaad471d202d46b726473ccf2182d9d511a32304903324648a90b1”
strings:
$a = “User Data” ascii wide
$b = “EncryptionStatus”,”Status” ascii wide
$c = “BotName” ascii wide
$d = “BotOS” ascii wide
$e = “URLData” ascii wide
$f = “Web Data” ascii wide
$g = “User DataLocal State” ascii wide
condition:
all of them
}
Related
Source: https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/