Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25-06-2024 12:26
General
-
Target
dcfcdb9f8b420d3f36ad0afd49aa9e3f5872bf9591c30b037882d491ad6c4e87.exe
-
Size
1.8MB
-
MD5
409e0dc91c049f2c7e6c963045d7d377
-
SHA1
3710d4d30dd86494d2d0167a705706f2a2d548a3
-
SHA256
dcfcdb9f8b420d3f36ad0afd49aa9e3f5872bf9591c30b037882d491ad6c4e87
-
SHA512
fd5faa06f37bf220f3c5b605693ffb282d56de16c1706e2e292ee01896f301504701e4b9e269d0d63c9c2699fa9682b4f8f371214caccb1d74653b7f748aaf17
-
SSDEEP
49152:ixVwRMGsa49AxBKfJREOYQIxow/ilYGtVz:ixpa4e46/6SIVz
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcfcdb9f8b420d3f36ad0afd49aa9e3f5872bf9591c30b037882d491ad6c4e87.exe"C:\Users\Admin\AppData\Local\Temp\dcfcdb9f8b420d3f36ad0afd49aa9e3f5872bf9591c30b037882d491ad6c4e87.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\81240e62d8.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\81240e62d8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\4ce6aa3bb0.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\4ce6aa3bb0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2f8dab58,0x7ffe2f8dab68,0x7ffe2f8dab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 --field-trial-handle=1832,i,1844411187914633345,2864893775480345708,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
240B
MD54df1f67698593a3e24f2244d2a077d9f
SHA128e465c67e4166a600eb30f0755f029c2b954d3f
SHA256f713ef282697d1cad652059647d83249982eb0a32165a5a2009ef0cc0defc427
SHA5127f5e184d1c942c9739b7ea7106323b482cb3f3058c75ec3ae2aa89ab16ddc307799354891c4f83c7ab6259244b345d197aa5241a282da47927bcac02cf572219
-
Filesize
152KB
MD5fb66b9c217a07ad127822b2daa0c71f0
SHA131051841a16236e58288403763d684768a9d04ab
SHA25621d5c6eb27aa751b6092bd6b8d92c5a07ee69e28d131bdaa0342fc3bf3020480
SHA512e7d4cc3d973a93b3607168e6b5dd7e86753580a16752e302fab96c42e1a4d54537cba441dca36e0f693edf86314a2e02a4675d9cdae224882a23387ecdcc24c6
-
Filesize
2KB
MD565db733f586e2da9e9ba313e62e34402
SHA189d1ff0241ad4e469f9892c8fb277a9da50ce766
SHA25620cf22ab8c112975617a7e0d4c2ade839d9ada4310114bb12fdf2d67f77e781a
SHA512dc4d611792524d3b9c7080eb138df71a8f757a438526540e8190e71d6794fff1d5fb2c2a126e2d73e3050b7a411b592ae30e7817434e2b2111c7698a0ecf445d
-
Filesize
3KB
MD51e5354e0cb2e4f667d449e32bcc93689
SHA13070f1b7fa15377060db4d772503cf1faf235724
SHA25650acd02a8f96d32a6173baa0ec0e374c2cf65124586840c1e36f94f4727b2931
SHA5127ae0f489dfeb25bed54972fffa17f415d72d32cf0b458a1df004c9e28669b10fa6726d607f72ba6539d3ac29f3bce114b75cbeb2b4544d37c02d03d5f3f9246f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5cbbb6cbf2935c811485bf437ea50ba72
SHA1b6d9a5faf8c0e029fde013b10322c283bb1e7bf9
SHA2561ad96684782e61bf9474aade94888dfe56ab849b69e9894c546fce499ecae600
SHA512c1a9ef5eb99333f9d858e692f3b8f1921e934dcb5fb3d3c1fa581b956b55c21626ccb141c7872868289b4a9a6ece2470efcd309908dcfbe1165fe68ddd20e9d9
-
Filesize
7KB
MD52a9d79fb78169da9bc1d3b3473e67a06
SHA1af27c59e008cb0dff2fafa176569bba9c00d7173
SHA256b050ec03b65291a519e34ac2b237d7e45a570c64c0ecdb8e9bb4f60527c082f4
SHA5126a83996fe5a460d9dbe7da504bc8cb96c69387820192ab7d7cfaf800f272d4b87c017db4d5677298c302366214348f17b76f9b75bd09d2c9d0dd3828edcce969
-
Filesize
16KB
MD5144d67de25d86ca9a0c658d543e1f10c
SHA1c44c7df1a1b9eab0a39ba3bc7cc40d0982fe4027
SHA2562ea7296b53a711a4d3e04103b6682f48309db61082e0fec40ff163d05c5476f7
SHA512eed58f95e681bdb97ac468a67a5e3a0c020a09d7f5370951189cc61b9dca3f45d453d14ce7e796ff36c35f70e9e05e2f484700464e1b724fff84e5ac2b4c4b3d
-
Filesize
281KB
MD541392fb78a8ef3ce192386f5a17d1969
SHA15ca1a972c42c901a476312466c8e109455b196a7
SHA256ba8a9b24fc0dc355ce5788b08d2c9a448b48d19f8d8a8777503d6b5e44433c46
SHA5126214be1835a561ed41fb6a0a5eb8abed55af72d4c98e52bbf593c25de7242ea627f9c9e68d3da01f03557d89a7e4a4537bcaa193a5091b8c8e05509f8d0ec6f2
-
Filesize
2.3MB
MD5d0db3d33c1868fb105629ee3badb38c9
SHA14dad17472e1af064b0a5d9a451675c2cac89c71e
SHA25605e5cbf3a6e9cce11a526f27c67a45ec474e0238501f0db56bb51b66280f75c5
SHA512af37f2230c2c95e2694b74c969b752d9d744eb558cfbb53f73977616dce23923d8f7e1897be6005741445f689048a759495f34f75e42ef03a2e992291cc69582
-
Filesize
2.3MB
MD5904b965271b9e6b520817244d8e7102c
SHA1d704cc76bb31617caf3b36fcaf348b20145377ea
SHA256fb5bd8ebe2bd592f3c13f8a9f2dd8d10c2d22c503092b1154723eb2f413de064
SHA51260baed0f8e68c997072111f05d7b0a1d5d1bbf6d058506c136616356cf411fce06f074f6052d0f4846686d53cd4abab75b7a19e774f422fa7f65c14d17aa0f04
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.8MB
MD5409e0dc91c049f2c7e6c963045d7d377
SHA13710d4d30dd86494d2d0167a705706f2a2d548a3
SHA256dcfcdb9f8b420d3f36ad0afd49aa9e3f5872bf9591c30b037882d491ad6c4e87
SHA512fd5faa06f37bf220f3c5b605693ffb282d56de16c1706e2e292ee01896f301504701e4b9e269d0d63c9c2699fa9682b4f8f371214caccb1d74653b7f748aaf17
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
11.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB