Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-05-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f.exe

  • Size

    1.7MB

  • MD5

    b254d967e0168d87fd7314c2462f12ed

  • SHA1

    855881b54033e663cdc506538cde1038de584287

  • SHA256

    9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f

  • SHA512

    d57688208e5b204e8782230eaa110a908d9abd05c8a0f965d50aee054d1e0dd9d4b48c9274aeea01bed9f95a9341e6e095396e476b61d4fd5bbbdc689b8be4f3

  • SSDEEP

    24576:MCj5TBuC1y1q8EsGR8XFnmjAROke0z2hBM4jYtAhug9+cmqgDC/tXGrLOfekwh:MCNM4nNIFmjJ0JLzW+cmvCFGdp

Score
10/10
amadeyriseproevasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7
Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain
rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 43 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f.exe
    "C:\Users\Admin\AppData\Local\Temp\9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
          PID:4308
        • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:3096
        • C:\Users\Admin\1000006002\b534dcce8a.exe
          "C:\Users\Admin\1000006002\b534dcce8a.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:3220
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:748
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3884
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:2448
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000006002\b534dcce8a.exe
      Filesize

      2.2MB

      MD5

      8d5de68c6d10a0b266aa20317d8e1052

      SHA1

      47ad1b285172cadbf20f2e87d0c52c5d7e668270

      SHA256

      90a33791503aa0d9392ba6dbecac53956d4c0be4f17273ccdb9424199e51e0da

      SHA512

      550438a92ea459ba038116e54d53ab73a9199ef3c7fa35f2c5a6a0d363b7ce3749c684a031007e4c6b501f0d71e5512750bbf7080dbd3e35571bdded1bdacb9f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
      Filesize

      1.8MB

      MD5

      6b31eb89f797a2c4b7afd3c029b0dac4

      SHA1

      e401d507b11e68dc66468ab45efac6fc9ca869af

      SHA256

      8febcf67cc46e6b56609984c709d360f667b709348ef7dd42b45c0d6afa2cb09

      SHA512

      885fe29738ca79601db6ee6ba87ea4c02fe4c407e875b1fc65e93302847bb3fed7c8481951fb2a75bdd6088c7f0b7c1d6839375df797e45aad4e62579bae62f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      Filesize

      1.7MB

      MD5

      b254d967e0168d87fd7314c2462f12ed

      SHA1

      855881b54033e663cdc506538cde1038de584287

      SHA256

      9276280817d21fa73a4c27322909cdfea2bb44235b79ab169bf4f494a23f242f

      SHA512

      d57688208e5b204e8782230eaa110a908d9abd05c8a0f965d50aee054d1e0dd9d4b48c9274aeea01bed9f95a9341e6e095396e476b61d4fd5bbbdc689b8be4f3

      Download Submit

    • memory/748-107-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-114-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-105-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-106-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-110-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-109-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-104-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-108-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/748-111-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2072-61-0x0000000000FA0000-0x000000000144E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2072-47-0x0000000000FA0000-0x000000000144E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2072-48-0x00000000773C6000-0x00000000773C8000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2448-137-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2448-147-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-1-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-0-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-19-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-2-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-7-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-4-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-6-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-5-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-3-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2740-8-0x0000000000540000-0x0000000000A93000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-27-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-22-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-21-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-26-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-24-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-29-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-90-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-28-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-23-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2900-25-0x0000000000ED0000-0x0000000001423000-memory.dmp

      Filesize

      5.3MB

      Download

    • memory/2984-149-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2984-145-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-92-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-126-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-129-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-100-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-62-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-97-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-95-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-123-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-121-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3096-117-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3220-86-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-89-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-85-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-93-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-81-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-82-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-88-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-87-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-83-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3220-84-0x0000000000B80000-0x0000000001215000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3884-115-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3884-116-0x0000000000180000-0x000000000062E000-memory.dmp

      Filesize

      4.7MB

      Download