Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240319-en -
resource tags
-
submitted
22-03-2024 03:26
General
-
Target
d976e0a0a5ba6eef37a509186ef3c2732f1065b3bb34e96d4d0ac0f89d8f5332.exe
-
Size
1.8MB
-
MD5
7c396270dd3aa8f5358a690fceff3a8f
-
SHA1
321c2273f7ceb2f8b084110ecff5a815132a4317
-
SHA256
d976e0a0a5ba6eef37a509186ef3c2732f1065b3bb34e96d4d0ac0f89d8f5332
-
SHA512
4af01db833d93c40bc6dc97f8b3b70915c4f4cf54e50eb17ffb71a4b04bd14b07f0d33e9e22693d140f70900a18b600072ed9f9baebf6dd4f3792d5dee3d0d85
-
SSDEEP
49152:Me/gTOROsgG4fJ6SfMowqDuHykaB/+WiGi6rFn17R4DGOkbk8:Me/UORLqxYoPuHxnSiC1VOkl
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 29 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d976e0a0a5ba6eef37a509186ef3c2732f1065b3bb34e96d4d0ac0f89d8f5332.exe"C:\Users\Admin\AppData\Local\Temp\d976e0a0a5ba6eef37a509186ef3c2732f1065b3bb34e96d4d0ac0f89d8f5332.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001007001\bullpen12.exe"C:\Users\Admin\AppData\Local\Temp\1001007001\bullpen12.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 4764⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u46k.0.exe"C:\Users\Admin\AppData\Local\Temp\u46k.0.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\u46k.1.exe"C:\Users\Admin\AppData\Local\Temp\u46k.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 11603⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5928 -ip 59281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5420 -ip 54201⤵
-
C:\Users\Admin\AppData\Local\CanReuseTransform\fyvqu\TypeId.exeC:\Users\Admin\AppData\Local\CanReuseTransform\fyvqu\TypeId.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f4f67936cc0b334cab50538ce9cbc208
SHA156378028aa9610871fcd7331cab17d668640819e
SHA256c627fd492ecbc440252c1e7afd317534c3a3f39542a1b478f2197df68019a401
SHA5122068a4f3d63d8b97e108b2d72edfb1d0d7a8daabfbb8854c505a64aaf1781a20e68122f718c4aef4cf2dd790f15041a2cb941e2b0cbe8173ad8920a94f2c1353
-
Filesize
1.5MB
MD5ffa06687f4e04e49188e821f31842d31
SHA11eee72255d2d778ab68f17d151c0b68a179e6d79
SHA256c54166480866db43c95fc2d212c2dcd19e26752bab13ad3f5c4ba8a3f5cb27e2
SHA512b6d1acbcce6e1c883da68129161c30a4b691525fd417d432386045d7fcc06038c797d45eb507ee3586bb251043862c130ba23d77b470d740a14f106af7c6ed56
-
Filesize
1.8MB
MD57c396270dd3aa8f5358a690fceff3a8f
SHA1321c2273f7ceb2f8b084110ecff5a815132a4317
SHA256d976e0a0a5ba6eef37a509186ef3c2732f1065b3bb34e96d4d0ac0f89d8f5332
SHA5124af01db833d93c40bc6dc97f8b3b70915c4f4cf54e50eb17ffb71a4b04bd14b07f0d33e9e22693d140f70900a18b600072ed9f9baebf6dd4f3792d5dee3d0d85
-
Filesize
832KB
MD5e3c0b0533534c6517afc94790d7b760c
SHA14de96db92debb740d007422089bed0bcddf0e974
SHA256198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952
SHA512d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e
-
Filesize
435KB
MD51f0dbc2d345f106d3c2296229b5f220c
SHA1c963f98776ad568e4ec1d02490041769e979a398
SHA2565c1b34e39a86328c7d8428f77143d40792036f720456409d495d7208a97e9553
SHA5122caed4a96fe8178d1029d91f1909a0a2dc1cc29849ac20d4632ea34146152891e06cc3799c51fafa49dcabda1b73c1e609f38bf6c512c9fcea78170ae6201bd0
-
Filesize
3.8MB
MD59ce6e2d4f4ec9cbb4984e565240f98a4
SHA1968bc3fc1d6424c8b094b6dec87298212061c31f
SHA25634d7d0806e67dfcfc736b986c6397ea113e3254147104da60cb5ec2bf96e6e79
SHA5122f536f33e4806e0aea0d66191500fd929472da259f4a7295147162d4e14af7ec5219e3e22317880bda1bf71316c82c71bef9a99d6452230479f70209cdc475a3
-
Filesize
1.8MB
MD56c3e707a22e4ae7e0f7548e736ef62b4
SHA1c6d4ff7a5310f061a3f7a84153a034aaf44ea10f
SHA256429dfc2122c4274963bcd4522866c818541782765e0ffd26312e44f74a785cce
SHA51215e6ebba85332d0dd84f5c15a9407b761d6a413db382c7e5f373629d301a101112c9ed299d1230cd303a68a2309a3052a7d7df47f2889f0298462d38ed1e91f5
-
Filesize
2.0MB
MD55f3f2a64c10d325c418a2659e1422844
SHA12c5dceaab13ca452e4e3fc81f9e0744fe7307e38
SHA2562c20ee374f60cc1ded6c9c6f67c4bc03ca0f93f2478a88b80afbd51b97fa10ff
SHA5129d2ee07451505e321125b3fc0fc98ee598deb662ad1ae2760d6a2de9d3165eb89ee3a0df939d18cb0b60c48351279000aaaf98a581813bcf542b6202606e4e39
-
Filesize
350KB
MD504df085b57814d1a1accead4e153909e
SHA16d277da314ef185ba9072a9b677b599b1f46c35b
SHA25691a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd
SHA512f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa
-
Filesize
256KB
MD5256dfa7d4d5aa725eff9b1c7d632aef5
SHA142b207fcf8c75b35e667c20fe1a1119c7f7c0552
SHA256d24b9cf4ace32ebaeb554e5f9fbae25fc6c15a198947f2d7d43a5d250ecb13de
SHA512c4faf352ad157132821169a81d68084f62f53aac2646af19bdd2d45c537fdb6c7b27212c08041f29776c5ad84dc2c69e93a15ccb567c198fc09125ee29b384ba
-
Filesize
409KB
MD583a54df2b454eb462579a74f05fc6c9f
SHA15e235c7174c3dd9979b7a8ad7eaf596775f2d6e2
SHA256cf7efb0f59fd6d747dcc6114019e6fcf797eb9a54e2706520557799fc18fc5e4
SHA512b862d9799791f9f5a28dc9a848486e8c5000d1425546200f8be9fa31d597fc8864172ba01c8ffc851aac8ff366d8b1f363bcd3ab57c7a3f926f4638904872dc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5c1ddd3a99e05ca8de5bad7292e175b0f
SHA1a61660c30d2c48d76333cc6933843861a85f02fc
SHA25608cb802f71dbfeca8b7211eca7d46ace91f1f3698562b4adca194b1d7ef39895
SHA51237ba1be63d002f888435ce67af0b1cc839088d3382600cb124328a4c039ee90e84247111d51207a98fa48cccc9b978d34ac0aa8c15f0a06509f32df79cfa749a
-
Filesize
3KB
MD508df5f914084c10106dc52a28c2ee954
SHA1733f42b9a565fc22e02da98e0ae576ede9a6cc68
SHA256ae49b00b91efbeccb05c5436ecba8468f7ac1eb446a5a17fcaf6e4571ac6023f
SHA51224ce5486ef5b4d36b83d3703b8cc8e82e4f8a1951d6a2b28d2283b915917cea83f6f76c7a48ed3b395900eae8211602e81b1538989a432593646374e0aad5dd0
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
261KB
MD5117317fbb36d19cd13ec4ad689003337
SHA1255559041e48bf87b5409d62da5bdb93e4933c8d
SHA256afd1ac557f3abeb5bb9a8358f0a3b06e5d276ff7b478b768af4d34af6e15cba2
SHA5121c035c63157a3bb6cb00b9e3c2e6ea9af15b8b8edb3a6a34eb2a2530a3d080a37f806a6b2045bb68ede64373cb85b18b1e8632a331ad5448e9e77ffdd2801e80
-
Filesize
1.4MB
MD5b2c7714ba6d7ec1a911ae4c8c11156c8
SHA185faf4b120c5f2b137613000e98e327026967446
SHA256d657a1570bb70bdbc6990ef8eca015800e3c631f9fab4fe8c2bf4c64d8469373
SHA51210e2f3400d8ab1d84b2bbbcfcf529cf3af9f36d41c025cc5453ef549dc01d7cc19de4bab6d1c23fc7c4ce3cabaf89bee5d29bad088c7ca2ca23fe403392fc326
-
Filesize
1.7MB
MD56d5bf869c7be13c2b4a56caee83f6ab6
SHA1a80dafda3df3f2a0c234eda7a2ea8ed0dd44f05d
SHA25623e535fdb2a513e76c9b9400022b4de1857dbcc96830c8fa4be926ed8329387b
SHA51292f74311ccc044e9ca9c1a4d88ee64f71ef8435987014c510e963d04e70b1d22642a910b7e98cff01a2e195a150c93de5d49368006dc2f9b25c12aa5ed5e2565
-
Filesize
256KB
MD575a70b017f35b7701b434bba0069c384
SHA1fe96f0cfff2b0f0ffcee312f972c737a67b2d235
SHA2565900e3d1399c8129f577a1c83d73fbc517fa3b20a41d94c6c05295d31b9a1c7a
SHA512c4fb1e6b54164df00c5321e2387aaf64530511f763732da3ef5bee8ae91a73cd304fd9c28e3368a0a669637715d3d4c629f6fb2632dc32a4b5109e942ba9a7ff
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
64KB
MD5b6e852ed566188db3124b62cedf1f2b8
SHA1292a10e3c8d01aa7d2a3ee7cbd2c95d8eaceff7d
SHA256de0b07310345ac980b36a58042d094a44a1a7c6dfabdbca82840bce9b2d13d92
SHA5129b014543149bac0b34aab8feece9ce41f55dda94b7d207663bc5b1241e917284f25b016ddeb3d4dceb82289a55d94236f352fc0e8174599ffa81c2644583d04e
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
1024KB
-
Filesize
624KB
-
Filesize
928KB
-
Filesize
904KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
156KB
-
Filesize
408KB
-
Filesize
560KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
6.1MB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
444KB
-
Filesize
1024KB
-
Filesize
376KB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
296KB