Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-05-2024 14:03

General

  • Target

    3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe

  • Size

    1.8MB

  • MD5

    e427f7e972e458acca51c043839c9c04

  • SHA1

    800cb9174a2afeb2a1402d7bd8deee4f97e36a4d

  • SHA256

    3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27

  • SHA512

    a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70

  • SSDEEP

    49152:BKLAvkPPHS++crkFwOnxAvpmcTajVMNqq:qAvkXxrkbneBmcuZeqq

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:40960

Extracted

Family

lumma

C2

https://femininiespywageg.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe
    "C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
        "C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:1524
      • C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
        "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
            PID:4716
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
              PID:344
      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3892
      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1100

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Subvert Trust Controls

      1
      T1553

      Install Root Certificate

      1
      T1553.004

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      3
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
        Filesize

        1.1MB

        MD5

        7cea595dbd1fdd056b616f7fa6c68dee

        SHA1

        c7962d3a9e57f838e8d86709ff6a72bf9046d22e

        SHA256

        4a34a915c77f67ee89df3be2c286cf3c135da8ee38c8590151de6b6f75f1412f

        SHA512

        04e77c27a55bd1a665c540d902ad161758be4c479ceec1f82a7196b93a6a77d7d600c1cc2b5765be447f7cd33caac21a25cc7253e4727f14557ff5a469e63a4d

      • C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
        Filesize

        304KB

        MD5

        84bf36993bdd61d216e83fe391fcc7fd

        SHA1

        e023212e847a54328aaea05fbe41eb4828855ce6

        SHA256

        8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

        SHA512

        bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

      • C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
        Filesize

        518KB

        MD5

        c4ffab152141150528716daa608d5b92

        SHA1

        a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

        SHA256

        c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

        SHA512

        a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        Filesize

        1.8MB

        MD5

        e427f7e972e458acca51c043839c9c04

        SHA1

        800cb9174a2afeb2a1402d7bd8deee4f97e36a4d

        SHA256

        3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27

        SHA512

        a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70

      • C:\Users\Admin\AppData\Local\Temp\TmpE29B.tmp
        Filesize

        2KB

        MD5

        1420d30f964eac2c85b2ccfe968eebce

        SHA1

        bdf9a6876578a3e38079c4f8cf5d6c79687ad750

        SHA256

        f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

        SHA512

        6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

      • memory/344-119-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/344-117-0x0000000000400000-0x0000000000455000-memory.dmp
        Filesize

        340KB

      • memory/1100-55-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/1100-53-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/1524-98-0x0000000006CA0000-0x0000000006CB2000-memory.dmp
        Filesize

        72KB

      • memory/1524-74-0x0000000000B50000-0x0000000000BA2000-memory.dmp
        Filesize

        328KB

      • memory/1524-99-0x0000000006D00000-0x0000000006D3C000-memory.dmp
        Filesize

        240KB

      • memory/1524-100-0x0000000006E70000-0x0000000006EBC000-memory.dmp
        Filesize

        304KB

      • memory/1524-75-0x0000000005C80000-0x0000000006226000-memory.dmp
        Filesize

        5.6MB

      • memory/1524-97-0x0000000006D60000-0x0000000006E6A000-memory.dmp
        Filesize

        1.0MB

      • memory/1524-96-0x0000000007210000-0x0000000007828000-memory.dmp
        Filesize

        6.1MB

      • memory/1524-93-0x0000000006AD0000-0x0000000006AEE000-memory.dmp
        Filesize

        120KB

      • memory/1524-92-0x0000000005BC0000-0x0000000005C36000-memory.dmp
        Filesize

        472KB

      • memory/1524-76-0x00000000056D0000-0x0000000005762000-memory.dmp
        Filesize

        584KB

      • memory/1524-77-0x0000000005660000-0x000000000566A000-memory.dmp
        Filesize

        40KB

      • memory/1736-5-0x00000000000D0000-0x0000000000590000-memory.dmp
        Filesize

        4.8MB

      • memory/1736-0-0x00000000000D0000-0x0000000000590000-memory.dmp
        Filesize

        4.8MB

      • memory/1736-15-0x00000000000D0000-0x0000000000590000-memory.dmp
        Filesize

        4.8MB

      • memory/1736-3-0x00000000000D0000-0x0000000000590000-memory.dmp
        Filesize

        4.8MB

      • memory/1736-2-0x00000000000D1000-0x00000000000FF000-memory.dmp
        Filesize

        184KB

      • memory/1736-1-0x0000000077BF6000-0x0000000077BF8000-memory.dmp
        Filesize

        8KB

      • memory/2196-24-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-19-0x0000000000901000-0x000000000092F000-memory.dmp
        Filesize

        184KB

      • memory/2196-50-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-35-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-34-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-33-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-32-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-124-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-123-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-122-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-121-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-26-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-25-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-23-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-22-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-21-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-20-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-120-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-18-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/2196-51-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/3892-28-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/3892-29-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/3892-30-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/3892-31-0x0000000000900000-0x0000000000DC0000-memory.dmp
        Filesize

        4.8MB

      • memory/3896-118-0x00000000011A0000-0x00000000011A1000-memory.dmp
        Filesize

        4KB

      • memory/3896-116-0x00000000011A0000-0x00000000011A1000-memory.dmp
        Filesize

        4KB