Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-05-2024 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91c6a3d9a458e15c67237718bc4c74cf7d8a38ac828b9ad010f2d1b0a25a36a7.exe

  • Size

    1.8MB

  • MD5

    05d98b7fc0b456457b26f0cf9f27175d

  • SHA1

    d38fea34d3b06f07ebab5b7229ee056bf70a5efe

  • SHA256

    91c6a3d9a458e15c67237718bc4c74cf7d8a38ac828b9ad010f2d1b0a25a36a7

  • SHA512

    34a89e18867b02ed788d9e99a630a4c2790e8c87593dcdf4b3ef1c1cf95ec6c3e66c7911dd73aeee2c339111a318402fe7bc637702dde7197a76fe75358cb4ca

  • SSDEEP

    49152:rD3eFH93aMbbZx/X/aEFOD14Kf+uWyW/80Bgqydrmcf:mH1aMb9NPkD14KWuWY0Bgqydrmcf

Score
10/10
amadeyrisepro0e674049e482evasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91c6a3d9a458e15c67237718bc4c74cf7d8a38ac828b9ad010f2d1b0a25a36a7.exe
    "C:\Users\Admin\AppData\Local\Temp\91c6a3d9a458e15c67237718bc4c74cf7d8a38ac828b9ad010f2d1b0a25a36a7.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:5044
        • C:\Users\Admin\1000004002\ffaf44f106.exe
          "C:\Users\Admin\1000004002\ffaf44f106.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3680
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:2220
        • C:\Users\Admin\AppData\Local\Temp\1000005001\04a0271d3c.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\04a0271d3c.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:2536
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3484
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4040
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3192
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000004002\ffaf44f106.exe
      Filesize

      1.8MB

      MD5

      7e03538dc25285b705604b2ace4492f0

      SHA1

      2a0a13d5eb4d394c6e18443602879aa428211a50

      SHA256

      d890e54e56f84854d4daace1ea55ad979191dd02c682dba496a405372dff1882

      SHA512

      3ae4641fa4410664041bf7d61565a0959faf42c8e16f8639fb6b65f8e7e2ea679fd28246be905289584fb68ff19266be7f86ddb8e681b4dc929ebc1017b7763c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1000005001\04a0271d3c.exe
      Filesize

      2.1MB

      MD5

      eac40b0f2ff92f87f0805fd66d2616ff

      SHA1

      bd5e547b35bb402294d824114a4f1462e4048fe6

      SHA256

      3596bd6a9c09e6000268927e0e4361dc75496aaa08776e01bc93a4b820614433

      SHA512

      0c06c198bf75fd0a7af990351e93d49df46fe67159cf2b2a0424c449de95a9031ef804a1f5f9cf82ecf98a92312933a4d54f2bf38b009b57f4a656feae196b62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      Filesize

      1.8MB

      MD5

      05d98b7fc0b456457b26f0cf9f27175d

      SHA1

      d38fea34d3b06f07ebab5b7229ee056bf70a5efe

      SHA256

      91c6a3d9a458e15c67237718bc4c74cf7d8a38ac828b9ad010f2d1b0a25a36a7

      SHA512

      34a89e18867b02ed788d9e99a630a4c2790e8c87593dcdf4b3ef1c1cf95ec6c3e66c7911dd73aeee2c339111a318402fe7bc637702dde7197a76fe75358cb4ca

      Download Submit
    • memory/1432-119-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1432-117-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-86-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-82-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-133-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-19-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-129-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-21-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-126-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-123-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-120-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-18-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-111-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-71-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-108-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-105-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-102-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-100-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-96-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-83-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-20-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-87-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1440-81-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/2220-112-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-103-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-132-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-130-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-127-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-124-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-88-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-121-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-53-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-109-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-84-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-106-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-97-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2220-99-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2536-73-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-77-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-75-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-74-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-78-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-85-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-79-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-76-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-80-0x0000000000C30000-0x00000000012A4000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3192-115-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3192-118-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3484-91-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3484-94-0x0000000000D70000-0x0000000001242000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3616-0-0x00000000008A0000-0x0000000000D52000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/3616-17-0x00000000008A0000-0x0000000000D52000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/3616-3-0x00000000008A0000-0x0000000000D52000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/3616-5-0x00000000008A0000-0x0000000000D52000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/3616-1-0x0000000077E16000-0x0000000077E18000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3616-2-0x00000000008A1000-0x00000000008CF000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3680-39-0x0000000000CA0000-0x0000000001172000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3680-50-0x0000000000CA0000-0x0000000001172000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4040-93-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4040-95-0x00000000007C0000-0x0000000000C72000-memory.dmp
      Filesize

      4.7MB

      Download