Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1b8ba6ec9b4ecf61a409159e5f72ab60b14a2f1f47433122986ab5fb7ce417d.exe

  • Size

    1.8MB

  • MD5

    cd53722594cf57b910d7311c69034e6b

  • SHA1

    ad4a79f29b5397d533c483998122cf47e791def7

  • SHA256

    c1b8ba6ec9b4ecf61a409159e5f72ab60b14a2f1f47433122986ab5fb7ce417d

  • SHA512

    b0c2ff4bda78bfb6e10b53287ea8bfc085f9bc07273deb4843fbcf62aef46ac2b226fef14520ed063f2a98ba836704928244f6810f90d3eb02ceb7e593f067ec

  • SSDEEP

    49152:ol/8FzpLcb8dYe+hEEr113zb/Sy8YMJcsvPPh:olkNlcbe+br1Jzb/9sX

Score
10/10
amadeyredline49e482newbilddiscoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

newbild

C2

185.215.113.67:40960

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1b8ba6ec9b4ecf61a409159e5f72ab60b14a2f1f47433122986ab5fb7ce417d.exe
    "C:\Users\Admin\AppData\Local\Temp\c1b8ba6ec9b4ecf61a409159e5f72ab60b14a2f1f47433122986ab5fb7ce417d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe
        "C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
  • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2508
  • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:548
  • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1000051001\newbild.exe
    Filesize

    297KB

    MD5

    c302ed158d988bc5aeb37a4658e3eb0a

    SHA1

    af658ccf6f44899a0ffb97759e6135f46dcd2f8e

    SHA256

    58bdeb7c3da885110d6983f3e7e752119ec8bf9da9631452b94ddc8bed6abf90

    SHA512

    94e4576e39d6cac2d5553cdec9def10926929a3f4262b5bc1caa3e7db64f0e73c00e5fc1aef08eff003d25a294edc1b95ba89a7880d93d97b873f8d275a4f09d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
    Filesize

    1.8MB

    MD5

    cd53722594cf57b910d7311c69034e6b

    SHA1

    ad4a79f29b5397d533c483998122cf47e791def7

    SHA256

    c1b8ba6ec9b4ecf61a409159e5f72ab60b14a2f1f47433122986ab5fb7ce417d

    SHA512

    b0c2ff4bda78bfb6e10b53287ea8bfc085f9bc07273deb4843fbcf62aef46ac2b226fef14520ed063f2a98ba836704928244f6810f90d3eb02ceb7e593f067ec

    Download Submit

  • memory/548-80-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/548-78-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2180-58-0x0000000006400000-0x0000000006450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2180-55-0x0000000004D50000-0x0000000004D8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2180-50-0x0000000004A70000-0x0000000004A7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2180-64-0x0000000073290000-0x0000000073A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2180-62-0x0000000007820000-0x0000000007D4C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2180-61-0x0000000006910000-0x0000000006AD2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2180-51-0x0000000073290000-0x0000000073A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2180-57-0x0000000005700000-0x0000000005766000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2180-56-0x0000000004ED0000-0x0000000004F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2180-49-0x0000000004AB0000-0x0000000004B42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2180-54-0x0000000004CF0000-0x0000000004D02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2180-53-0x0000000004DC0000-0x0000000004ECA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2180-52-0x0000000005B90000-0x00000000061A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2180-48-0x0000000004FC0000-0x0000000005564000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2180-46-0x000000007329E000-0x000000007329F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-47-0x0000000000010000-0x0000000000060000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2508-70-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2508-69-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4248-88-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-19-0x00000000055C0000-0x00000000055C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-65-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-26-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-86-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-20-0x00000000055D0000-0x00000000055D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-21-0x00000000055B0000-0x00000000055B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-22-0x00000000055F0000-0x00000000055F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-23-0x0000000005590000-0x0000000005591000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-59-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-60-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-24-0x00000000055A0000-0x00000000055A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4684-25-0x0000000000C41000-0x0000000000C6F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4684-18-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-82-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-66-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-67-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-85-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-27-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-71-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-72-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-73-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-74-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-75-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-76-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-84-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-83-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4684-81-0x0000000000C40000-0x00000000010ED000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4944-5-0x0000000000110000-0x00000000005BD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4944-2-0x0000000000111000-0x000000000013F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4944-3-0x0000000000110000-0x00000000005BD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4944-17-0x0000000000110000-0x00000000005BD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4944-0-0x0000000000110000-0x00000000005BD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4944-1-0x0000000077684000-0x0000000077686000-memory.dmp

    Filesize

    8KB

    Download