Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    511db60e9d5fc979942349992732b1b01d47d4a447de5c651fd976b85238c76c.exe

  • Size

    1.8MB

  • MD5

    308373af3edaf7fe8605ff2447e30c52

  • SHA1

    e774993d1c9b3ee92d82f01aefd9b4abf0096000

  • SHA256

    511db60e9d5fc979942349992732b1b01d47d4a447de5c651fd976b85238c76c

  • SHA512

    7ab29f93332f1d0af963509a6ff6a8ec941a738042370a550e1660342bd7395569c6adb32dd19300800edb2319dee193870b230f7c1b10d3ea25726a37420fd3

  • SSDEEP

    24576:HoFsrsIA0JZlFackcO99I75vsIsHEfpLhoteGVtc9taasf/KTIFyQf9ne4q2l2:5OSZlFa3cO99u6NGQFtcq7BFyQfU4Nl

Score
10/10
amadeyrisepro0e674049e482evasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\511db60e9d5fc979942349992732b1b01d47d4a447de5c651fd976b85238c76c.exe
    "C:\Users\Admin\AppData\Local\Temp\511db60e9d5fc979942349992732b1b01d47d4a447de5c651fd976b85238c76c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:1508
        • C:\Users\Admin\1000004002\0780e4cb20.exe
          "C:\Users\Admin\1000004002\0780e4cb20.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1484
        • C:\Users\Admin\AppData\Local\Temp\1000005001\355233dd3d.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\355233dd3d.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3656
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1920
      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4016
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1520
      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3304
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\1000004002\0780e4cb20.exe
        Filesize

        1.8MB

        MD5

        b95610add3f9321e903a5586b3731826

        SHA1

        677704c4f91a19d27f1a5c05a81b3211c99bafa3

        SHA256

        72b1fd53e51193e962b965b9d4e2df83195940860eeeb722b8ef8233e2796a02

        SHA512

        cfdcb2c32a0d3c5f5a72e9f78440097fd5cfe29c7ecef54bbad1537921417adcedaff2f3e333750a1ac1af5b4641980472727b7de62332f9a1a4ba49a0b2db38

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000005001\355233dd3d.exe
        Filesize

        2.3MB

        MD5

        adb34811932580170965d642023781a1

        SHA1

        5c228c7fb6f11594e0ca98b7d0cb7eff107408a2

        SHA256

        2e8ddbc469af5b47578d85e9b62cd5b5e6d87ea7dcb70152421277bfb060c77b

        SHA512

        bf825516767a7668044bafdfb1e8466ac37057c3df60152b6bc731e51acf4d13b4c2ba0452511036ba7cba79c95d81885d2017bd1eabe26fbc171d395b0c1944

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        Filesize

        1.8MB

        MD5

        308373af3edaf7fe8605ff2447e30c52

        SHA1

        e774993d1c9b3ee92d82f01aefd9b4abf0096000

        SHA256

        511db60e9d5fc979942349992732b1b01d47d4a447de5c651fd976b85238c76c

        SHA512

        7ab29f93332f1d0af963509a6ff6a8ec941a738042370a550e1660342bd7395569c6adb32dd19300800edb2319dee193870b230f7c1b10d3ea25726a37420fd3

        Download Submit
      • memory/952-56-0x0000000000630000-0x0000000000AEB000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/952-44-0x0000000000630000-0x0000000000AEB000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/952-42-0x0000000000630000-0x0000000000AEB000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-115-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-87-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-93-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-96-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-118-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-113-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-99-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-92-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-57-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-103-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1484-90-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/1520-81-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/1520-83-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-19-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-0-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-1-0x00000000779E4000-0x00000000779E6000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2388-3-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-18-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-10-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-6-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/2388-2-0x0000000000111000-0x000000000013F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2388-4-0x0000000000110000-0x00000000005D0000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/3304-111-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/3304-107-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/3656-88-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-101-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-91-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-104-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-98-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-120-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-78-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-117-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-95-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3656-114-0x0000000000D30000-0x000000000131A000-memory.dmp
        Filesize

        5.9MB

        Download
      • memory/3676-110-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/3676-108-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4016-82-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/4016-85-0x0000000000BE0000-0x000000000109B000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/4632-102-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-22-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-43-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-100-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-26-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-75-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-97-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-23-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-112-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-86-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-77-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-21-0x0000000000981000-0x00000000009AF000-memory.dmp
        Filesize

        184KB

        Download
      • memory/4632-116-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-94-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-20-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-119-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/4632-89-0x0000000000980000-0x0000000000E40000-memory.dmp
        Filesize

        4.8MB

        Download