Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-05-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe

  • Size

    1.7MB

  • MD5

    031c0d7f77970ec5d4bcfb75d8f06e00

  • SHA1

    836e672c8a8c7ac88ef21948fcbc69ac0dec53ba

  • SHA256

    fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9

  • SHA512

    0c8ddfcdfde3d28043cc4eca439f45694316f4d52ef43a2d08dd3a46b399b37ea3b91b0f439e6d90f98dd5b3e5c204a2f21bb0230d55fcf9603d554987fa4c3e

  • SSDEEP

    49152:Zo7peQmJvyES6AgZimHB+1XtV/8yBs0KWfUpLmgwQ+:CMra6AgZtB+vB8Ca6UpqgD+

Score
10/10
amadeyriseproevasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7
Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain
rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 54 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe
    "C:\Users\Admin\AppData\Local\Temp\fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
          PID:560
        • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1988
        • C:\Users\Admin\1000006002\698639580a.exe
          "C:\Users\Admin\1000006002\698639580a.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:4620
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4848
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4940
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4180
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:3516
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000006002\698639580a.exe
      Filesize

      2.0MB

      MD5

      65aeca0a2e005df5dc7f08a0d71cf7c3

      SHA1

      f932daafec4916d1bb9b8e3481c27f09bd29057d

      SHA256

      393c1152e4a519a761924675212b12c9ff6d4e4f0d4cd9defa08ed99c349f353

      SHA512

      85393889a4efbd87123c0d14c0bd05335fcf9eb46fa590ca5900e1adf2882bc1cc68bf329561b75b167327f74785a01222b47ee74f6f4d805187275c4ece1d80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
      Filesize

      1.8MB

      MD5

      acbf3415c84289ab9808d2d7e5f8743d

      SHA1

      ca13a555e3f8f57e563bdd7fde57530db305c250

      SHA256

      7ae5191fde1f83494346e67aa99d2ca955ae31601593ad491b89baff9ce62098

      SHA512

      ddb4dbd87993bc4618a893c2d65deb8817c60c5d2c884f06eb55981c0d558ded5e1b719ea5c89229abec3b0c2c11d938440cc6b3e88b2dbabae0d42a7bae23c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      Filesize

      1.7MB

      MD5

      031c0d7f77970ec5d4bcfb75d8f06e00

      SHA1

      836e672c8a8c7ac88ef21948fcbc69ac0dec53ba

      SHA256

      fdd342ee4572636303a6647cca22f566c7d367b5dd0c4da675db119592ed9fb9

      SHA512

      0c8ddfcdfde3d28043cc4eca439f45694316f4d52ef43a2d08dd3a46b399b37ea3b91b0f439e6d90f98dd5b3e5c204a2f21bb0230d55fcf9603d554987fa4c3e

      Download Submit

    • memory/772-8-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-6-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-4-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-2-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-5-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-1-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-3-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-21-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-7-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/772-0-0x0000000000F80000-0x00000000014D2000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1400-74-0x0000000000190000-0x000000000063B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1400-61-0x0000000000190000-0x000000000063B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1852-30-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-29-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-27-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-25-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-28-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-23-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-20-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-26-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-103-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-24-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1852-34-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/1868-165-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1868-161-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-107-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-110-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-104-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-116-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-133-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-75-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1988-113-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3516-155-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/3516-163-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-125-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-123-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-122-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-124-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-128-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-129-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-127-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-126-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4180-132-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4620-102-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-94-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-101-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-99-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-100-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-97-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-106-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-98-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-96-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4620-95-0x0000000000800000-0x0000000000E2B000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4848-39-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-45-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-37-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-35-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-36-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-40-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-42-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-43-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-41-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4848-38-0x0000000000EC0000-0x0000000001412000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/4940-131-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4940-120-0x0000000000DF0000-0x000000000129B000-memory.dmp

      Filesize

      4.7MB

      Download