Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe

  • Size

    1.8MB

  • MD5

    4296e99064ff80e04fe93c8c3236f217

  • SHA1

    16aaa5afdae382df0af5fff0bb0ace09ed2f06eb

  • SHA256

    b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160

  • SHA512

    049511733e0dd2aa0b1df0df214f0c8c4ef68ad98e06dc5be847c1f2509d270d36e84883c7ce3af47b40ef605802e2a4fbbc3c52ff0390709da45a87eb8b1f94

  • SSDEEP

    49152:sTxVE8ysSnlZHIPWhlFHuNcIr766+bYvRGjm61xY:CxXGbhlxumIP6VYS1xY

Score
10/10
amadeyriseproevasionpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7
Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain
rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 45 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe
    "C:\Users\Admin\AppData\Local\Temp\b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
          PID:1572
        • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4880
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:2504
        • C:\Users\Admin\1000006002\1b79175f97.exe
          "C:\Users\Admin\1000006002\1b79175f97.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:3612
        • C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe
          "C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2240
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:3956
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1792
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4888
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:1268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000006002\1b79175f97.exe
      Filesize

      2.1MB

      MD5

      bdb4ffe3e6b1c429910cbbb509b01f9a

      SHA1

      8bd1903eb55c60387b7ddc68cf352a6055762f63

      SHA256

      15b3713c716478efade6a9354b3993ad8196922d173ef307b42cf7f55b013b61

      SHA512

      9331b11b726718606912702051e3fa3627cc53f4de16ff4b26c0c454fdf39163a59f09ef4e0f05b1826a99c5d5e0c0ae3a5a45cfce426543411f5a64cbb72275

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
      Filesize

      1.8MB

      MD5

      2d9c768a86b095245fb4d8b38343c18d

      SHA1

      9ab00ec0ddddc90e5901431d72f6b75c7d3a36a4

      SHA256

      e33753b6793acf93108ee09e792fcde82671fc7bae5c384c5e052f74c500f7b4

      SHA512

      96473c52f8b81e8f71708d5519f96fb108a3b6c864aaa33b714cd0d3eff64d221d64e8d36bc2ea39e15881e631a2cb41cdf75453a6b598c9e48fd5d1dd2fc15b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000012001\installer.exe
      Filesize

      621KB

      MD5

      611a4246c5aabf1594344d7bd3fccb4c

      SHA1

      cf0e6b3ecb479a8bdb7421090ecc89148db9f83b

      SHA256

      aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e

      SHA512

      0daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      Filesize

      1.8MB

      MD5

      4296e99064ff80e04fe93c8c3236f217

      SHA1

      16aaa5afdae382df0af5fff0bb0ace09ed2f06eb

      SHA256

      b06baf62b281139d6197f6ac974a0abe601ee373b7ebbc9e8e663370147fe160

      SHA512

      049511733e0dd2aa0b1df0df214f0c8c4ef68ad98e06dc5be847c1f2509d270d36e84883c7ce3af47b40ef605802e2a4fbbc3c52ff0390709da45a87eb8b1f94

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45bikmpi.brl.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1268-276-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1268-268-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1268-267-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1268-266-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1268-270-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-3-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-2-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-5-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-7-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-6-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-20-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-1-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-0-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1392-4-0x00000000001A0000-0x0000000000700000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1792-243-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1792-231-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2240-122-0x000000001CF10000-0x000000001CF2C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2240-121-0x000000001CBE0000-0x000000001CDA2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2240-120-0x000000001CF40000-0x000000001D468000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2240-132-0x000000001B530000-0x000000001B542000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2240-119-0x0000000000E20000-0x0000000000E2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2240-118-0x0000000000E50000-0x0000000000E72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2240-108-0x0000000000440000-0x00000000004E2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2296-23-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-123-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-21-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-24-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-28-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-27-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-26-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-25-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-22-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2296-80-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/2504-250-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-255-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-61-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-262-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-259-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-124-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-248-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-127-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-130-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-131-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2504-245-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3612-88-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-89-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-82-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-86-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-87-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-84-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-83-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-81-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-125-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3612-85-0x0000000000C90000-0x0000000001313000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3956-238-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-237-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-235-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-241-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-239-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-236-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-233-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-232-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3956-234-0x0000000000460000-0x00000000009C0000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4880-46-0x0000000000A50000-0x0000000000F10000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4880-47-0x0000000077BE4000-0x0000000077BE6000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4880-60-0x0000000000A50000-0x0000000000F10000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4888-269-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4888-278-0x0000000000EA0000-0x0000000001360000-memory.dmp

      Filesize

      4.8MB

      Download