Resubmissions
27-06-2024 05:17
240627-fy7tcawhkr 1002-06-2024 07:35
240602-jeng5sfa6t 1002-06-2024 07:25
240602-h878zaeg9y 10Analysis
-
max time kernel
145s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
02-06-2024 07:25
General
-
Target
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe
-
Size
1.8MB
-
MD5
ac7237bfbd3e63efa1c29bf506a5833d
-
SHA1
1d0160a085b8aa1383cba4e6c0b789014cf3cfe6
-
SHA256
8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908
-
SHA512
a3826b72be1815fbd782d9f6b20f732339d1540f378dd95c26e34b14cd60d57e9e613361b8c20da9f9fcead0c2ce84998eeb48ee3b5addc22b9374401a4c42eb
-
SSDEEP
24576:Q+SDM3ZxtLyy1EGw1wKO6+O3Osp8ljtbfEbuMJpd2QLXWoRu7CeE2oK:fSDMpxj1I1NZkjRfWuMJu6cGg
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
newbild
185.215.113.67:40960
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe"C:\Users\Admin\AppData\Local\Temp\8fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exeFilesize
297KB
MD5c302ed158d988bc5aeb37a4658e3eb0a
SHA1af658ccf6f44899a0ffb97759e6135f46dcd2f8e
SHA25658bdeb7c3da885110d6983f3e7e752119ec8bf9da9631452b94ddc8bed6abf90
SHA51294e4576e39d6cac2d5553cdec9def10926929a3f4262b5bc1caa3e7db64f0e73c00e5fc1aef08eff003d25a294edc1b95ba89a7880d93d97b873f8d275a4f09d
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD5ac7237bfbd3e63efa1c29bf506a5833d
SHA11d0160a085b8aa1383cba4e6c0b789014cf3cfe6
SHA2568fdd6e5a048925c75f0187041cee6833ceb3f4f1d0ef34405016aa81da461908
SHA512a3826b72be1815fbd782d9f6b20f732339d1540f378dd95c26e34b14cd60d57e9e613361b8c20da9f9fcead0c2ce84998eeb48ee3b5addc22b9374401a4c42eb
-
memory/1584-47-0x00000000058C0000-0x00000000058D2000-memory.dmpFilesize
72KB
-
memory/1584-54-0x0000000008380000-0x00000000088AC000-memory.dmpFilesize
5.2MB
-
memory/1584-41-0x0000000000C30000-0x0000000000C80000-memory.dmpFilesize
320KB
-
memory/1584-40-0x000000007316E000-0x000000007316F000-memory.dmpFilesize
4KB
-
memory/1584-50-0x0000000006320000-0x0000000006386000-memory.dmpFilesize
408KB
-
memory/1584-45-0x0000000006940000-0x0000000006F58000-memory.dmpFilesize
6.1MB
-
memory/1584-44-0x0000000005730000-0x000000000573A000-memory.dmpFilesize
40KB
-
memory/1584-48-0x0000000005A30000-0x0000000005A6C000-memory.dmpFilesize
240KB
-
memory/1584-42-0x0000000005D70000-0x0000000006316000-memory.dmpFilesize
5.6MB
-
memory/1584-49-0x0000000005A70000-0x0000000005ABC000-memory.dmpFilesize
304KB
-
memory/1584-51-0x0000000007D00000-0x0000000007D50000-memory.dmpFilesize
320KB
-
memory/1584-46-0x0000000005B40000-0x0000000005C4A000-memory.dmpFilesize
1.0MB
-
memory/1584-53-0x0000000007440000-0x0000000007602000-memory.dmpFilesize
1.8MB
-
memory/1584-43-0x00000000057C0000-0x0000000005852000-memory.dmpFilesize
584KB
-
memory/3564-70-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/3564-71-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/3836-5-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-0-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-3-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-1-0x00000000777A6000-0x00000000777A8000-memory.dmpFilesize
8KB
-
memory/3836-17-0x00000000006C0000-0x0000000000B70000-memory.dmpFilesize
4.7MB
-
memory/3836-2-0x00000000006C1000-0x00000000006EF000-memory.dmpFilesize
184KB
-
memory/4232-52-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-72-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-20-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-56-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-58-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-59-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-77-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-76-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-63-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-64-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-65-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-66-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-67-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-19-0x0000000000F11000-0x0000000000F3F000-memory.dmpFilesize
184KB
-
memory/4232-69-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-18-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-21-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-73-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-74-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4232-75-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4632-62-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4632-60-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4660-79-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB
-
memory/4660-80-0x0000000000F10000-0x00000000013C0000-memory.dmpFilesize
4.7MB