Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-05-2024 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe

  • Size

    1.8MB

  • MD5

    74cd4f517b8acbe4944edea47a1c9071

  • SHA1

    3158bccfb035095c27936239c0d3091d4ad5189b

  • SHA256

    5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09

  • SHA512

    cfe4ecd98854d6af07e663be12e198d2d11e1635ca02905b36f13dc233ade3ca2ff2ca53c4c780a202e3131990a88acb76a1c6811d0409c6c9b407a7b1430786

  • SSDEEP

    49152:CSCEi3mNv++cFSKpnmWvE6BkwCLV+Bhk:CS7Dv+6EnmWvEAkw4V+Bh

Score
10/10
amadeyrisepro0e674049e482evasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
    "C:\Users\Admin\AppData\Local\Temp\5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:2012
        • C:\Users\Admin\AppData\Local\Temp\1000002001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000002001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:2388
        • C:\Users\Admin\AppData\Local\Temp\1000003001\11fdc4c629.exe
          "C:\Users\Admin\AppData\Local\Temp\1000003001\11fdc4c629.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:4940
        • C:\Users\Admin\1000004002\e3c5ecf51e.exe
          "C:\Users\Admin\1000004002\e3c5ecf51e.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2740
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3864
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:952
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:864
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1000002001\amers.exe
      Filesize

      1.8MB

      MD5

      d621f5952ed932db832ed39968a5ac52

      SHA1

      ed47e99b536089eaabbe6479c9aa8b9975ef820e

      SHA256

      0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657

      SHA512

      c084d6587b37ec995bd179c1580b3d68899701dc22a955e7ae7775075a27412771e2ac58b85a980c0bd5c691154ef98cecb3678805d03e281d582c1ffb1be1fb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1000003001\11fdc4c629.exe
      Filesize

      2.1MB

      MD5

      7b1f6cc1bef0a256590075865abba136

      SHA1

      7634a11fc2b6457e92f530903b6c2861629c78ab

      SHA256

      1d5687aa7a3ec879c985333b3c1b06aee7b195d3774f0390d594451b7cb06da7

      SHA512

      3d4705eb97459310bccf05442960c7ad4135b3887a6474ba1e4e28e0bb33fcacb0d993ffbee0d91ef40964bf7cf1a1a34c03b634781af2fd67c79a46a2846b2d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      Filesize

      1.8MB

      MD5

      74cd4f517b8acbe4944edea47a1c9071

      SHA1

      3158bccfb035095c27936239c0d3091d4ad5189b

      SHA256

      5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09

      SHA512

      cfe4ecd98854d6af07e663be12e198d2d11e1635ca02905b36f13dc233ade3ca2ff2ca53c4c780a202e3131990a88acb76a1c6811d0409c6c9b407a7b1430786

      Download Submit
    • memory/540-60-0x0000000000300000-0x00000000007B5000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/540-39-0x0000000000300000-0x00000000007B5000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/864-132-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/864-135-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/952-110-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/952-112-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1892-134-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1892-137-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-138-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-125-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-144-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-147-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-61-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-104-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-150-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-113-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-99-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-116-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-128-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-141-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-122-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2388-119-0x0000000000880000-0x0000000000D35000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2500-3-0x00000000002B0000-0x0000000000777000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2500-5-0x00000000002B0000-0x0000000000777000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2500-17-0x00000000002B0000-0x0000000000777000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2500-2-0x00000000002B1000-0x00000000002DF000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2500-1-0x0000000077DE6000-0x0000000077DE8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2500-0-0x00000000002B0000-0x0000000000777000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2740-96-0x00000000005B0000-0x0000000000A65000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2740-95-0x00000000005B0000-0x0000000000A65000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/3440-103-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-127-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-152-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-18-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-149-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-102-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-100-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-115-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-98-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-118-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-97-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-121-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-19-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-124-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-146-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-106-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-20-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-130-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-143-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-21-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3440-140-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3864-111-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3864-108-0x0000000000130000-0x00000000005F7000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4940-75-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-73-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-77-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-78-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-79-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-76-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-74-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-72-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/4940-101-0x0000000000B50000-0x00000000011C3000-memory.dmp
      Filesize

      6.4MB

      Download