Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
03-06-2024 04:28
General
-
Target
c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f.exe
-
Size
1.8MB
-
MD5
e4bf424e5186b1219c62b82d44a6752f
-
SHA1
b369c3e97077ce31ce9e21622f5797c8af1a18ea
-
SHA256
c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f
-
SHA512
f57e86fa8fa84cc31e0cd99f219b97c6df9c0d93d9bdb79338498d5be65bc80e9062858c423b466bd340a7bf0fa059d746cbbb1a0836f89b63700afb56f8a799
-
SSDEEP
49152:tTAHpHUIslnCg3tXIb1Xf2F5vVzCT7f1tbXuQGjdXFx5PSkTOmd:tTdIsdtXU1Xf2dzCT/Tk/5akH
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
risepro
147.45.47.126:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f.exe"C:\Users\Admin\AppData\Local\Temp\c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\1000004002\f12e12e833.exe"C:\Users\Admin\1000004002\f12e12e833.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\5ef0144d63.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\5ef0144d63.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD52a47071ccf933c80aaf280afb07ff57a
SHA13a61ad0a4ab58d76037cb63d1557d1dcaff0e0b2
SHA25659840e0a3cbba4365655ce7a69458dec2ae958ffdfaa87ca19d8f3e293b88d7d
SHA5128a6fd863a5705b6d710f064a170b778a59660d1976eac5b1b379f7e0bd0c5686bcf04ae5e929ea43da7b81e3fda1f5541a2fd9351780814c820b14f361d8586c
-
Filesize
2.3MB
MD58fa4e5b38cc51a3b9448ebfb09d856a5
SHA1de65eb72f32cea70261be517d21124ada855b36c
SHA25661fe65febcd3fe9486cebe9668aa9d7c830db95c18d1213f2b73e30bd9477835
SHA5125f3ab23d2e468e9d504d7474402c3888d37308cf607dec5a777d0c7d72f569067c17433b906874ef60cf3a9ae80d81b87287e1dbc16e48323bbb78dabbcb15ed
-
Filesize
1.8MB
MD5e4bf424e5186b1219c62b82d44a6752f
SHA1b369c3e97077ce31ce9e21622f5797c8af1a18ea
SHA256c5ba3282a64750420d0d9dd90ac9019dda3742aa9ff202c82a7ffd178268cd6f
SHA512f57e86fa8fa84cc31e0cd99f219b97c6df9c0d93d9bdb79338498d5be65bc80e9062858c423b466bd340a7bf0fa059d746cbbb1a0836f89b63700afb56f8a799
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB