Overview

overview

10

Static

static

3

785eaa3bc1...50.exe

windows7-x64

10

785eaa3bc1...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    785eaa3bc1ff11f50470a846c35cae7c4389c331c8a9eaaacfdced0b46a6b650.exe

  • Size

    1.9MB

  • MD5

    c84ab890634ffbc2ff51f707efb68cc2

  • SHA1

    b2afe57c4d8a68cc513239d61900992ee85a2249

  • SHA256

    785eaa3bc1ff11f50470a846c35cae7c4389c331c8a9eaaacfdced0b46a6b650

  • SHA512

    14a4bb9c3b5301c4a5e175b8268db34457a1ac648008cbe47b7b0eee7322ad4f29444e949527a92beb0de43e5f06a6ad6826158186cec2af8964432f01c8c067

  • SSDEEP

    49152:wR7msDJF85oDbrQSDsUghKGDIQ+PL+E2qls:Sm0F+oVD0hKGDIQeL+E2

Score
10/10
amadeyrisepro0e674049e482evasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\785eaa3bc1ff11f50470a846c35cae7c4389c331c8a9eaaacfdced0b46a6b650.exe
    "C:\Users\Admin\AppData\Local\Temp\785eaa3bc1ff11f50470a846c35cae7c4389c331c8a9eaaacfdced0b46a6b650.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:2284
        • C:\Users\Admin\1000004002\b9b8e8c011.exe
          "C:\Users\Admin\1000004002\b9b8e8c011.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:5108
            • C:\Users\Admin\AppData\Local\Temp\1000036001\victor.exe
              "C:\Users\Admin\AppData\Local\Temp\1000036001\victor.exe"
              5⤵
              • Executes dropped EXE
              PID:212
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 232
                6⤵
                • Program crash
                PID:4168
        • C:\Users\Admin\AppData\Local\Temp\1000005001\14aa91fd4e.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\14aa91fd4e.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 212 -ip 212
      1⤵
        PID:224
      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3804
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1880
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4168
      • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4740

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\1000004002\b9b8e8c011.exe
        Filesize

        1.8MB

        MD5

        238e6212561325caf21594988d686271

        SHA1

        9ea9b2247ca3f5791e91c74263ce4c8b9dd5952e

        SHA256

        861ea16c509308f3d4eaff3a6db620b48c6a0575626002ec287a5b356781e423

        SHA512

        6e42d5bea35d299cb5b38bcb4f27a71963cd92a690d8479cfc357e87607596ee7a27c2a565cb5c09f82e6f05523ae4b5f19c534a3e93c271ad79af62dc871e28

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1000005001\14aa91fd4e.exe
        Filesize

        2.4MB

        MD5

        ebc16a7e0daafe552f108f405bd69026

        SHA1

        099f185bc565398aa0df32878b238dbca526bf22

        SHA256

        53da52ae0039ba4dfa7a5e61f2f3e6fe3277fc502bc22292e3eef8fa13a431aa

        SHA512

        d1d27562f9e2f3680e99bd659627da42de36112f22c3284f40dbce2ebe1c9369a8748077bc92a9c5c1b7bf58da641b42b7905c788124ecd275e0a58890721899

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1000036001\victor.exe
        Filesize

        312KB

        MD5

        01cff6fb725465d86284505028b42cfd

        SHA1

        f9182ea73fe1f80a41ba996ed9d00548c95abbcf

        SHA256

        3814ef98c5c16988df008a989038faf39943b32fb9687dc9347ac16df722e4cd

        SHA512

        ecf4e2e236dd55032c5e0ea4048557463519036279b586d53a1ef4ea50df049651385bbc11c55d515a73d6f568ea28080513035273de524466eae72b46461088

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        Filesize

        1.9MB

        MD5

        c84ab890634ffbc2ff51f707efb68cc2

        SHA1

        b2afe57c4d8a68cc513239d61900992ee85a2249

        SHA256

        785eaa3bc1ff11f50470a846c35cae7c4389c331c8a9eaaacfdced0b46a6b650

        SHA512

        14a4bb9c3b5301c4a5e175b8268db34457a1ac648008cbe47b7b0eee7322ad4f29444e949527a92beb0de43e5f06a6ad6826158186cec2af8964432f01c8c067

        Download Submit

      • memory/212-70-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1880-106-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/1880-107-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2016-52-0x0000000000E30000-0x00000000012F9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2016-39-0x0000000000E30000-0x00000000012F9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-124-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-91-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-20-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-19-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-18-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-102-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-54-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-127-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-138-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-141-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-121-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-21-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-92-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-117-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-94-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-95-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-96-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-115-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-112-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-99-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-143-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2260-147-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/2568-125-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-145-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-122-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-89-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-100-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-110-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-148-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-136-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-113-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-139-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-97-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-116-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-119-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/2568-142-0x00000000003C0000-0x00000000009C6000-memory.dmp

        Filesize

        6.0MB

        Download

      • memory/3804-109-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/3804-105-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4168-130-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4168-135-0x00000000002C0000-0x0000000000792000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4492-1-0x0000000077014000-0x0000000077016000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4492-5-0x0000000000790000-0x0000000000C62000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4492-0-0x0000000000790000-0x0000000000C62000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4492-3-0x0000000000790000-0x0000000000C62000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4492-17-0x0000000000790000-0x0000000000C62000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4492-2-0x0000000000791000-0x00000000007BF000-memory.dmp

        Filesize

        184KB

        Download

      • memory/4740-131-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4740-134-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-53-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-126-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-137-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-101-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-123-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-140-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-120-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-118-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-93-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-144-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-114-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-146-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-98-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/5108-111-0x00000000000F0000-0x00000000005B9000-memory.dmp

        Filesize

        4.8MB

        Download