Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
25-05-2024 02:42
General
-
Target
9f6dc1c659a2431571e5c5a44d19c3f8bf08fe894193cf6f7f2e9c56993a59da.exe
-
Size
1.8MB
-
MD5
6fcb64650a0546917fcc284a803ea9be
-
SHA1
1f799cfadc8458ec95869cdb0c3f3f0fdc5058a6
-
SHA256
9f6dc1c659a2431571e5c5a44d19c3f8bf08fe894193cf6f7f2e9c56993a59da
-
SHA512
6c729e26866e054489cf2751333e97fa2c36c17299b710db668dc12de10ec9505784e5e14e0c6e9d203b431cc2de54a457cab316af8c5f624cef8cb6418e5d46
-
SSDEEP
24576:m1p+TDugCvPGZkknqCMLfeV9w8EokrMZn14lGGlYC0uKuo648OAngcC7qXS+:YpgZqCMaV9LjkrMD4lGGdN+YL
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.21
Botnet
0e6740
C2
http://147.45.47.155
Attributes
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
rc4.plain
Extracted
Family
amadey
Version
4.21
Botnet
49e482
C2
http://147.45.47.70
Attributes
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
rc4.plain
Extracted
Family
risepro
C2
147.45.47.126:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6dc1c659a2431571e5c5a44d19c3f8bf08fe894193cf6f7f2e9c56993a59da.exe"C:\Users\Admin\AppData\Local\Temp\9f6dc1c659a2431571e5c5a44d19c3f8bf08fe894193cf6f7f2e9c56993a59da.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
C:\Users\Admin\1000004002\d1ccf16367.exe"C:\Users\Admin\1000004002\d1ccf16367.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000005001\50b3cc98bb.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\50b3cc98bb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\1000004002\d1ccf16367.exeFilesize
1.8MB
MD580a4fdcdc2957ab01ac72a2164ccb637
SHA116283fd176525e2142da335ee5c160f4a358b059
SHA256e3aec2a1ac63b50fea5b0bb28895f59f8484b46db6725e59c76ad9ebb13766d5
SHA51299f6506d5e8fc2705dcc9cb1924eee2e50fbe2ccf5f68cf4df2edb180e6c9bb28dfaf675cdd0e50cac1b241e2d111e3cdf28bbe2090a9b9a3efc9c230725e192
-
C:\Users\Admin\AppData\Local\Temp\1000005001\50b3cc98bb.exeFilesize
2.2MB
MD562ffd8088893846bb2fae98424a04b38
SHA10c0e19acd63d9133d2b52eb956519d6544784770
SHA256ab2d4f2783c56b4fef3e85504ac69c1842e02e17fe745ee1c2a6d15d91bd854e
SHA512ad33912cfcb477f29e2c20b63d842e11f1365b0e709e537e8fd54b2c4e68580d6a2274a70fc7fda009acdd8dc4dae0565df494945621849210c8f4a5c72e90f7
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeFilesize
1.8MB
MD56fcb64650a0546917fcc284a803ea9be
SHA11f799cfadc8458ec95869cdb0c3f3f0fdc5058a6
SHA2569f6dc1c659a2431571e5c5a44d19c3f8bf08fe894193cf6f7f2e9c56993a59da
SHA5126c729e26866e054489cf2751333e97fa2c36c17299b710db668dc12de10ec9505784e5e14e0c6e9d203b431cc2de54a457cab316af8c5f624cef8cb6418e5d46
-
memory/436-1-0x00000000778F6000-0x00000000778F8000-memory.dmpFilesize
8KB
-
memory/436-2-0x0000000000CC1000-0x0000000000CEF000-memory.dmpFilesize
184KB
-
memory/436-3-0x0000000000CC0000-0x000000000116B000-memory.dmpFilesize
4.7MB
-
memory/436-5-0x0000000000CC0000-0x000000000116B000-memory.dmpFilesize
4.7MB
-
memory/436-16-0x0000000000CC0000-0x000000000116B000-memory.dmpFilesize
4.7MB
-
memory/436-0-0x0000000000CC0000-0x000000000116B000-memory.dmpFilesize
4.7MB
-
memory/684-79-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-77-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-80-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-78-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-83-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-73-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-75-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-76-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/684-74-0x00000000001A0000-0x0000000000835000-memory.dmpFilesize
6.6MB
-
memory/720-39-0x0000000000330000-0x00000000007FF000-memory.dmpFilesize
4.8MB
-
memory/720-40-0x0000000000330000-0x00000000007FF000-memory.dmpFilesize
4.8MB
-
memory/720-53-0x0000000000330000-0x00000000007FF000-memory.dmpFilesize
4.8MB
-
memory/956-86-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-104-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-21-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-19-0x00000000005E1000-0x000000000060F000-memory.dmpFilesize
184KB
-
memory/956-81-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-134-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-84-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-20-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-85-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-17-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-130-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-89-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-122-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-92-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-119-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-94-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-116-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-112-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-109-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/956-107-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/1576-99-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/1576-102-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/1964-128-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/1964-126-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/3388-127-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/3388-124-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4104-101-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/4104-103-0x00000000005E0000-0x0000000000A8B000-memory.dmpFilesize
4.7MB
-
memory/4800-90-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-108-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-117-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-93-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-120-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-111-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-114-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-96-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-105-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-54-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-129-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-87-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-132-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB
-
memory/4800-82-0x0000000000110000-0x00000000005DF000-memory.dmpFilesize
4.8MB