LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT

Key Takeaways

  • The blog delves into a new infection approach to disseminating the SectopRAT final payload.
  • Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.
  • The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory. Upon being started, this LNK file triggers the execution of the duplicated instance of the Amadey.
  • Execution of the Amadey bot retrieves the SectopRAT payload through downloading, subsequently running within the victim’s system.

Executive Summary

LummaC, an information stealer, is being distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking forums. This malware is designed to pilfer sensitive data from infected devices. Among the data targeted are cryptocurrency wallets, browser extensions, two-factor authentication codes, and various files. The Threat Actors (TAs) accountable for this malware have consistently introduced improved iterations of LummaC. This new iteration boasts several additional features, including the ability to load other malware files (introduced in version 19.07) while the main information-stealing malware is executing on the victim’s system, as mentioned in the image below.

Loader, LummaC, Stealer, Telegram
Figure 1 – New Loader feature of LummaC stealer mentioned in the TA’s Telegram channel

Cyble Research & Intelligence Labs (CRIL) has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer, as illustrated in the figure below.

Infection chain, malware, Stealer
Figure 2 – Infection chain

Detailed information about these techniques can be discussed in the Technical Analysis section.

Initial Infection

In most cases, the LummaC Stealer has been disseminated through phishing websites that impersonate genuine software sources, as well as via spear-phishing emails.

Historically, the LummaC stealer distributed through deceptive websites like counterfeit Microsoft Sysinternals Suite. It also aimed at YouTubers by employing spear-phishing emails and was further disseminated by masquerading as illicit software cracks.

Technical Analysis

We’ve encountered several ZIP files in the wild that seem to contain the LummaC stealer malware. It’s possible that these files are being distributed through a YouTube campaign disguised as software setup files. A few examples of these filenames include:

• $

These files appear to have been deliberately named in a way that could attract users, potentially tricking them into running the contained malware. In this technical analysis, we analyzed a sample named “”

The SHA-256 hash of this ZIP archive file is 7b5500ada0bf017d0bac84b181076ebfd7220693748b9ca634f06271837edfb7.

The image below illustrates the contents of a ZIP archive featuring two directories named “Common Files” and “HMService.” These directories encompass numerous legitimate DLL files, while the ZIP archive itself contains an executable called “Setup.exe.” Importantly, the “Setup.exe” serves as a payload for the LummaC Stealer executable.

ZIP file, archive
Figure 3 – Content of ZIP archive file

The LummaC Stealer file (“Setup.exe,”), which is identified by its SHA256 hash: f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144. This particular binary file is a 32-bit GUI-based .NET Reactor executable.

LummaC Stealer

LummaC Stealer is malware designed to gather sensitive information from compromised devices illicitly. This includes a variety of data, such as cryptocurrency wallets, browser extensions, two-factor authentication codes, and files. LummaC Stealer is offered as a service by its creators, available on underground forums and Telegram channels primarily used by Russian speakers since at least August 2022. The seller of this software has been actively marketing LummaC Stealer since April 2022, releasing new versions and responding to questions on underground forums, Telegram channels, and a dedicated website.

According to the information provided by TAs, LummaC2 represents a next-gen stealer with an impressive success rate. Notably, it operates effectively even on clean systems, devoid of any dependencies whatsoever. Its key features include server-based log decryption. LummaC2 specializes in pilfering data from Chromium and Mozilla-derived browsers, encompassing about 70 browser-based cryptocurrencies and 2FA extensions. The toolkit encompasses a non-resident Loader, a dynamic low-level file grabber, and the latest innovation, the BINARY MORPHER.

When the “Setup.exe” is executed, it initiates the process of injecting the malicious LummaC Stealer content into the memory of “RegAsm.exe”, as shown below.

LummaC, Stealer, Process Tree
Figure 4 – LummaC stealer process tree


Once successfully installed on a targeted system, LummaC Stealer orchestrates covert operations to collect important system details, such as operating system version, hardware identifiers, CPU specifications, RAM details, screen resolution, and system language. With this information, the malware extracts sensitive data from designated applications, concentrating on web browsers, cryptocurrency wallets, two-factor authentication extensions, and others.

The figure below displays memory content within RegAsm.exe, containing strings associated with the URL of the LummaC Stealer’s command-and-control server.

LummaC, Stealer, Command and Control, RegAsm
Figure 5 – LummaC C&C strings present in RegAsm memory


LummaC Stealer’s impact is significant, spanning various web browsers such as Chrome, Mozilla Firefox, Microsoft Edge, and others. Within these environments, the stealer gains access to browsing histories, internet cookies, login details, personal data, credit card information, and other valuable data.

After gathering all the sensitive information from the targeted system, the stealer encrypts the collected data and sends it to the C&C server, as depicted in the image below.

  • hxxp[:]//exitlife[.]xyz/c2sock
LummaC, Command and Control
Figure 6 – LummaC C&C communication


CRIL has already published a comprehensive blog post offering a detailed examination of LummaC Stealer. The blog can be accessed here.

Furthermore, the LummaC Stealer retrieves the Amadey bot malware by downloading it from the following URL, as depicted in the below figure.

  • hxxp[:]//africatechs[.]com/Amdaygo[.]exe
AmadetBot, LummaC
Figure 7 – Presence of Amadey payload URL in LummaC memory

Amadey Bot

Amadey Bot is a type of malware that was identified in 2018. It can carry out tasks like exploring compromised systems, gathering data, and loading additional malicious payloads. During its early stages, it was disseminated through exploit kits. TAs used it to introduce different types of malware, including the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan (RAT). In 2022, associates linked to the LOCKBIT group employed the Amadey bot to distribute ransomware to their targets.

The Amadey bot, once retrieved by the LummaC Stealer, is saved and executed within the Temp directory with the below-specified filename:

  • C:\Users\user\AppData\Local\Temp\hhwjilxtgukpvvhbpo.exe

The Amadey bot is a 32-bit GUI type .NET Reactor executable with sha256 d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c.

After being executed, the Amadey malware copies itself to the following location and executes it.

  • C:\Users\user\Videos\edddegyjjykj.exe

Additionally, it creates an LNK file that, when clicked, executes the dropped copy of itself “edddegyjjykj.exe” file. This LNK file is dropped into the below startup folder location to maintain persistence.

  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edddegyjjykj.lnk

During the execution, Amadey establishes communication with its C&C server, regularly transmitting system details such as OS version, architecture, username, installed antivirus software, etc. Additionally, it queries the server to receive instructions. The primary feature of Amadey is its capability to deploy other payloads to all compromised computers or selectively to those targeted by the malware.

The below figure illustrates the malware sending system information to the C&C server through the following URL:

  • hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php
Amadey, Exfiltration
Figure 8 – Amadey exfiltration

CRIL has previously released an extensive blog post that provides an in-depth analysis of Amadey Bot. It can be accessed here.

Moreover, the malware downloads an additional malicious payload from the following URL, as mentioned in the figure below.

  • hxxp[:]//patriciabono[.]com/BRR[.]exe
Figure 9 – Amadey C&C communication


The image below depicts the malware’s memory content, including strings related to the Amadey bot’s C&C server, as well as the URL for the SectopRAT payload.

SectopRAT, Amadey
Figure 10 – Presence of SectopRAT payload URL in Amadey memory


SectopRAT (aka Arechclient) is a Remote Access Trojan (RAT) built using the .NET compiler. It boasts a wide array of functionalities, including the pilfering of browser data and cryptocurrency wallet details. It can establish a concealed secondary desktop, which it uses to oversee and manipulate browser sessions. Notably, SectopRAT is equipped with Anti-VM and Anti-Emulator mechanisms intended to complicate malware analysis. These techniques alter the malware’s behavior within environments designed for analysis, making it challenging to discern its true malicious nature.

After being downloaded by Amadey, the SectopRAT is stored and executed in the Temp directory using the below folder and filename:

  • C:\Users\user\AppData\Local\Temp\1000349051\BRR.exe

The SectopRAT is a 32-bit executable, protected using the Themida packer, and its SHA256 is 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4.

Once the “BRR.exe” is executed, the malware begins scanning through the target system’s directories. It aims to retrieve sensitive data from files such as “Cookies,” “Local State,” “Login Data,” and “Web Data.” These files are sourced from a diverse array of over 35 web browsers, gaming platforms, and other software applications that have been installed on the compromised system.

The following figure illustrates the browsers, games, email clients, and other software that the malware focuses on to extract sensitive information.

SectopRAT, Trojan, Application list
Figure 11 – SectopRAT target application list to steal sensitive information

Furthermore, it can steal important details from various cryptocurrency wallets such as Atomic, Exodus, Electrum, and Daedalus Mainnet. The malware has the capability to not only access cryptocurrency wallets through specific directories but it can also retrieve data from crypto wallet browser extensions, as mentioned in the table below.

ckpaelocniggkheibcacecnmmlmeodfa CryptoBit
ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink
fhbohimaelbohpjbbldcngcnapndodjp Binance Wallet
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask


SectopRAT connects to the C&C server for communication using the below IP:Port,

  • 95[.]143[.]190[.]57:15648

The below image depicts the activity associated with the initialization string. This string acted as a signal that the encryption status for the malware’s operations had been switched to “on” within the compromised system.

SectopRAT, Memory strings
Figure 12 – SectopRAT memory strings

Figure 12 – SectopRAT memory strings


The deliberate introduction of multiple malware strains strategically enhances the capabilities and control of the threat actors (TAs) over the compromised system. This integration empowers them to carry out a diverse range of malicious activities, starting from the initial breach and extending to data extraction and the potential for remote control access. Through these intricate maneuvers, the likelihood of evading detection is heightened, allowing for a prolonged presence within the system and effectively achieving their malicious goals.

The most recent iteration of LummaC stealer now possesses the capability to load additional malware into the targeted system. In this particular campaign, LummaC stealer is utilized to retrieve and install the Amadey bot, recognized for its tasks involving system assessment, data theft, and the deployment of supplementary malicious payloads. Subsequently, the Amadey bot is executed to fetch SectopRAT, a .NET Remote Access Trojan recognized for its diverse functionalities, including various undetected methods.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Implement sophisticated email filtering solutions to detect and prevent spam, phishing attempts, and malicious emails.
  • Refrain from accessing links and attachments from unfamiliar or untrusted sources. Always confirm the credibility of the sender before engaging with links or attachments
  • Download and install software applications solely from reputable and well-established sources. Avoid obtaining software from online sources that lack credibility or verification.
  • Install a reliable antivirus and comprehensive internet security suite on all devices. Regularly update and scan for potential threats to ensure ongoing protection.
  • Utilize URL filtering tools to block access to known malicious websites and domains. Prevent users from inadvertently downloading malware from dangerous URLs.
  • Conduct periodic cybersecurity training sessions for employees. Educate them about the latest threats, phishing tactics, and the risks of email attachments and links.
  • Emphasize the importance of not downloading or executing files from unknown sources. Raise awareness about the potential consequences of interacting with suspicious content.
  • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic  Technique ID  Technique Name 
Execution T1204
User Execution
Windows Management Instrumentation
Persistence T1547.001 Registry Run Keys / Startup Folder
Privilege Escalation T1055 Process Injection
Defense Evasion T1497
Virtualization/Sandbox Evasion
Obfuscated Files or Information
Disable or Modify ToolsSoftware Packing
Deobfuscate/Decode Files or Information
Reflective Code Loading
Credential Access T1003
OS Credential Dumping
Input Capture
Discovery T1057
Process Discovery
Query Registry
System Information Discovery
File and Directory DiscoverySecurity Software Discovery
Collection T1005 Data from Local System
C&C T1071
Application Layer Protocol
Encrypted Channel
Ingress Tool Transfer

Indicators of Compromise (IOCs)

Indicators Indicator



Stealer exe



Amadey Bot



hxxp[:]//exitlife[.]xyz/c2sock URL LummaC stealer C&C
hxxp[:]//africatechs[.]com/Amdaygo[.]exe URL Amadey
Payload URL
hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php URL Amadey C&C
hxxp[:]//patriciabono[.]com/BRR[.]exe URL SectopRAT Payload URL
95[.]143[.]190[.]57:15648 IP:Port SectopRAT C&C








SHA256 Similar
LummaC Stealer
exe files
SHA256 Similar
exe files







SHA256 Similar
exe files
hxxp://enfantfoundation[.]com/amday[.]exe URL Similar
AmadeyPayload URL





URL Similar
SectopRAT Payload URL

ET Rules

2046637 ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt LummaC Stealer
2039423 ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M1
2043206 ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
2039425 ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup
2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 Amadey Bot
2045752 ET MALWARE Win32/Amadey Payload Request (GET)
2044623 ET MALWARE Amadey Bot Activity (POST)
2044695 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

YARA Rules

rule LummaC_Stealer



author = “Cyble”

description = “Detects LummaC Stealer Files”

date = “2023-08-10”

os = “Windows”

threat_name = “LummaC Stealer”

scan_type = “Memory”

severity = 100

reference_sample = “a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02”


$a = “/c2sock” ascii wide

$b = “TeslaBrowser” ascii wide

$c = “Software.txt” ascii wide

$d = “System.txt” ascii wide

$e = “/c2conf” ascii wide


all of them


rule AmadeyBot



author = “Cyble”

description = “Detects Amadey Bot Files”

date = “2023-08-10”

os = “Windows”

threat_name = “Amadey Bot”

scan_type = “Memory”

severity = 100

reference_sample = “a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341”


$a = “/index.php” ascii wide

$b = “\\MsBuild.exe” ascii wide

$c = “id=” ascii wide

$d = “&av=” ascii wide

$e = “&pc=” ascii wide

$f = “&un=” ascii wide


all of them


rule SectopRAT



author = “Cyble”

description = “Detects SectopRAT Files”

date = “2023-08-10”

os = “Windows”

threat_name = “SectopRAT”

scan_type = “Memory”

severity = 100

reference_sample = “75e64bd57bfaad471d202d46b726473ccf2182d9d511a32304903324648a90b1”


$a = “\\User Data” ascii wide

$b = “EncryptionStatus\”,\”Status” ascii wide

$c = “BotName” ascii wide

$d = “BotOS” ascii wide

$e = “URLData” ascii wide

$f = “Web Data” ascii wide

$g = “User Data\\Local State” ascii wide


all of them



Scroll to Top