Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25-06-2024 22:50
General
-
Target
8aaf33bf3190b72432e2722ee91838224edc4d5a44a683b521123f3ca38a66b8.exe
-
Size
1.8MB
-
MD5
4247dfedb0337ee7a1989504bece411f
-
SHA1
f540804fdfff649eedd31fbe48c1e64b1d767c80
-
SHA256
8aaf33bf3190b72432e2722ee91838224edc4d5a44a683b521123f3ca38a66b8
-
SHA512
261936a712958d46ad9cf7d11c68b9323d27910fee7408317ff98b0ec3ab3f12f31447786e91b8d3faf61ba95de79baf492fba2e8d421fe8af5a702901f17f6d
-
SSDEEP
49152:fBN0fAJHUSpf2Djv5Q4D/nuYCZMnbeSo:f0GHTZMV7nVECb
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aaf33bf3190b72432e2722ee91838224edc4d5a44a683b521123f3ca38a66b8.exe"C:\Users\Admin\AppData\Local\Temp\8aaf33bf3190b72432e2722ee91838224edc4d5a44a683b521123f3ca38a66b8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\a08f6302f3.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\a08f6302f3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\d3f7dfa4ea.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\d3f7dfa4ea.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbfd2bab58,0x7ffbfd2bab68,0x7ffbfd2bab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3096 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2372 --field-trial-handle=1836,i,2844354805261781799,17266165767491388815,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD58d8c2c316843e66f0c78c3e94e7a039d
SHA13f7e5474031bf958a67fe24ec82e7be1125a7b73
SHA2560fda58ea7b5a5223aea6293e074a21c8d1fee2a362870001a7f6fc5de0fb0a93
SHA51231ed11f05dbf12ee2f59e783e647c32a352856d45ffbb74f2356adf9764c56e157ac3976387de9838523902de0a5b6c1ae6654b982266dfada11537a71c903dc
-
Filesize
2KB
MD5b7d8e628fa3fea17ab0b9e08c08a1cc0
SHA10163184819267f1dc0d750ed7e6ac421c3b35da7
SHA2564c9de5f28b4b41629c7fd755c7c3b553e40c070cbc85a13bafe99624767d52dc
SHA512e281b09ccc81e9079255d8ecd2e657ff70a6a92538e8d44867bf7ebaf0ee7131d8c46b7c7bfce22076cbef24d3fe372ed2368a4b3a8d42431250bbd5e75c9ebd
-
Filesize
3KB
MD5d183f9dd06cfbbe205e521eaba14b1d8
SHA1fbff88a7de82b30e6399b56b12e42bca82a85441
SHA2561c72c4499517127eb952e98561b1351fab624ae58b30b245178516640d0a94ac
SHA51201e3f181c35d38e5e08f7190093a8d2e6bee041fd34cab821b504362e41b56d14eed6205a805a8f2f92950a63dba4634e20efc2445dcd8851ddd92bacb242c8b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD54e5057464d843e3a9dc6d923c72128c3
SHA1b0dca442b8fae425d69dbbcaabe377625b2d3f8f
SHA2560927aa8733fb2693773ab449bb410d48297b13df69de24be86c1209c8b2d6a71
SHA51275d473839ad8d9bc9ae15c8d69b3575e179e877b4522132dae9b0f0fd8f35a1647d0caa7e93e3ea229f404d6d7d8ed3786933fe5ff88abb4cf344afacd844da9
-
Filesize
7KB
MD53e908e2ad40a33640c49c72bd89a5e3f
SHA1a07998dedcbfe820d794e5d485d5e7ea2ea99923
SHA256f3e3b5e6facd9049fc35b231a326916212f097802d8f19e3a3a48eadf233a6d9
SHA512da49382491310729a65f2a457204e195746df63d90d5228d3c6a971d05473b78bb157bee7862fa3f0346d13688bbd8e14244e69f28e86885aa59712e3711e58b
-
Filesize
16KB
MD5d12164a1a88812867f51f9ee3d0bb887
SHA1f6e3aad05afe851e7bd67efb46a8e263ff22e770
SHA256fa99229b2c0a485b4ce18711884e7e389c7380542aa63d5d14b26f1a1ba4ef4c
SHA5120abbe4d0103ac36c2a13b20e970bda7070ce2540d73a2c304a8cd0985bc705792af51c412c017cbc8b7c69a52fc8cf434260dc8c0b2a58b6e91e17aa561d0e92
-
Filesize
281KB
MD53ac5039a11338334a25bc2c52ed6c4c7
SHA128021f1150dba589b47ff93bc5f5135bc543c233
SHA2563a2f1eeb99243a0cb84f32264145e02ce9e8c9e1250ddae16d81e5dfaeb976e5
SHA512aa2264140954b8f979d5c11515eb4989fd493ef000e4ca80818e5a17c0dc87872a095157ce6f89eadedbe4cbb13e357a16239141d6b37ce1faebfc9393b059a7
-
Filesize
2.3MB
MD5d80d5c3b3f46774293bdd629bba997d8
SHA1b71f659a7c5ccbceae270fdf5e42abbcef3dd279
SHA256b295f4174de84592b7e5c9779fff8c1035367a3b160cb73486e9529022cea768
SHA5122ec088725b2b3de78b48db49f17c4c04ba16b5a4be79662d0436aeba4fe78a1995bb381677c97a26ba8f82d52472726073bc2758d591ea2af67415c0e31c3270
-
Filesize
2.3MB
MD53c0880e14613317fc196184634245f85
SHA1019898e62ae000603dcd10a1307b07b945429256
SHA2567678f4f9ad3e6c6e911cad73cb82e43438814eb5cbd9c88ca64737f61fafe7d1
SHA512ada3cc7b0e42abf1e7cc08f3279149cef732d3d7f7537331afd776be566df722cd3607187777248db2847b4939b65bbe14ab4087c4978dfab65d731b7ce5b0e3
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.8MB
MD54247dfedb0337ee7a1989504bece411f
SHA1f540804fdfff649eedd31fbe48c1e64b1d767c80
SHA2568aaf33bf3190b72432e2722ee91838224edc4d5a44a683b521123f3ca38a66b8
SHA512261936a712958d46ad9cf7d11c68b9323d27910fee7408317ff98b0ec3ab3f12f31447786e91b8d3faf61ba95de79baf492fba2e8d421fe8af5a702901f17f6d
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
4.6MB
-
Filesize
4.6MB