Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
25-06-2024 15:05
General
-
Target
e8c929995d9dab60498e2d10a2df0a1f88584d2b943965b1876266b5709043c2.exe
-
Size
1.8MB
-
MD5
014babd2cbc6c99e08304ebf23209b41
-
SHA1
1ae3c2e88811c140ab8279a3c72fe51bd03dddd3
-
SHA256
e8c929995d9dab60498e2d10a2df0a1f88584d2b943965b1876266b5709043c2
-
SHA512
8c21fa72c0025a1c8d7e0cdb039803798269feb8d4b13b208130e2aba8804a0a8032b55042ec7c17f4e2dae69a03b9147595de48bb251a695b08648599ece9b1
-
SSDEEP
49152:tHaZjcHA+UmblG0fx69G3OgVs36YEnBdDH/7:tHaZjQnnldfx6rQW6YEnv
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8c929995d9dab60498e2d10a2df0a1f88584d2b943965b1876266b5709043c2.exe"C:\Users\Admin\AppData\Local\Temp\e8c929995d9dab60498e2d10a2df0a1f88584d2b943965b1876266b5709043c2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\aa65675233.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\aa65675233.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\0742a90af3.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\0742a90af3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e3c5ab58,0x7ff8e3c5ab68,0x7ff8e3c5ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1504 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3804 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1476 --field-trial-handle=1852,i,8172418196221168299,11634355841760241524,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD59eed7b48794d7120fcc0681bc2d661d6
SHA1690f34d53c6017b8af37a4dab4776d9b5593cedf
SHA2561961eaa6838398bf17e3168fd3d7f35cf40b973568755008857554bfd3870745
SHA51286c9344d81a96127d016d9967774deebfbec0b055b2b895152ea43cab7c97fb6d3e3c9beb47c2c411eae9558e8fe9645f7d5f37fa939ae5367af34c6de6a7762
-
Filesize
2KB
MD59a2ea7ac7e827de3912e044eaf79077d
SHA1611c2cfce8065ce4bf4f51fadcc32d6d1c03787e
SHA256347d0ced846ad6ad2343a7bbaf7ceee89002077e8810af234088ba8c13a36ffe
SHA512a705f52697ab238aebe790302e60ac48531d4c4949e0ce9f0b838ee04b275a330a793bb9512c99b4a102f3ae5e18a38d1f77121c0dd07e4c4521e537b2483ca7
-
Filesize
2KB
MD5c59640b3e2893a7dfdfc76b9adec3022
SHA1ae63e5085e57a6e399c527607fd02d65f11f001e
SHA2560783d30773d783d4613ebc9d50ee97b76ad43d0eb63691efaabf8de2b5099731
SHA512da1ec7d1536388c3b9f357047fc4ffb5c5bf61cf75d062decb585721097fd0bc9294f18ee29953fcfbffb8d5d6ffa1e4fef713a53e87e5486bfaa7afd60d81fd
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5e7e1a6c594df5ffd49255a34d5233d6b
SHA194cd7be40c1287952d60f8f3a7c969f3b22685fe
SHA2564c6e66cd05bf43db32fdb8b62f239b4f2c54f6382c4dd1f1ac011baa0c6790d4
SHA51267ef4402f9574672ea73b498cfcda081c4fb5191c39b405b561ca562e1a5cd308c0d81cf60d8ce4654d78724bb646e003da7ed9024369b502d2cfc52af6a0213
-
Filesize
7KB
MD551c2b4ac7a1a287b50ef95eef9405111
SHA1d3c0509f435002228fc1f7ef71fd25597b521ff4
SHA2564e2d2e7c23152e4c8b908a04053980aeb3e92ac48ead8c99394fd6aa36bab397
SHA5129a1526b579cb79021533c87a8634d7a8669d40c50c7a89908efd77676713fc87ecc88ad25ff411847cff0acb25e20055d813eb968d19aeb8ce5b9bb3a88fc8d5
-
Filesize
16KB
MD549f89aec8b7ccbcd449eef5c390a2fb1
SHA111ac10738877e72735f836726c442c6f5ea3b94c
SHA2567d76a56191f65eb2fecfcc832dd535ec6c798ec358afc1a24de405456af16575
SHA512cba8ddd5edb04faf350a71b610941ec76110e563029ef43df92aecaf1d0823cdf57d2470db2358dd30a7a3689f80c9710752c09f1dd0b17c536d1375675922df
-
Filesize
281KB
MD5769cb296483f2bc7f2da4896693c2aca
SHA1dd5bd2b6591b5f4b223f2d6335743dd74c7c0515
SHA256a2867690ae81da155810f6b29b20a3e7dc8b5c411b9cdf812e5934c6c4e683d7
SHA512c4764fb19f99b7ca5ef1ce743413981ee7a58dd5fbe14cf657b2093e9ab5172a782fd85a42407c0af9f28e34d213aacc4f3a1a20daa54b132cd75a1d7fe5dd03
-
Filesize
2.3MB
MD5130b239595865bfa17bc84bb9689510a
SHA1b5d4bc923f8f5ba045161e67d206af505f196e63
SHA256c69518089492c136eb8bc5902edf56e43978da0d1d71984f5c5baddf029903d4
SHA512b8181d981304e03c510324f93a0783ca6907df6fc3401b6a399ca285c2d4e0a410329b664f29801be43c7eb95dbe6514eea29afd665efb5b1cff5cae7373d50a
-
Filesize
2.3MB
MD5cf3a4941ec44506c7da30b00080ff0d7
SHA1faf7d1fed7962840903760b98154c2dcfaaaf84d
SHA256e8770429e60be8e4e8bcf3abc46404d5d5bb61a2632bc8b132a20f7d87d39375
SHA512a792d6f3d166465661b282550734f1b26060e0682183cf12a2db55b89ea463e9c6209e4e841fb4b55e80f5a5b2357420e9b9ecb5e45042d7215afc4760a19de2
-
Filesize
2.4MB
MD526a77a61fb964d82c815da952ebedb23
SHA18d9100fcc2e55df7c20954d459c1a6c5861228a1
SHA2562e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
SHA512793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
Filesize
1.8MB
MD5014babd2cbc6c99e08304ebf23209b41
SHA11ae3c2e88811c140ab8279a3c72fe51bd03dddd3
SHA256e8c929995d9dab60498e2d10a2df0a1f88584d2b943965b1876266b5709043c2
SHA5128c21fa72c0025a1c8d7e0cdb039803798269feb8d4b13b208130e2aba8804a0a8032b55042ec7c17f4e2dae69a03b9147595de48bb251a695b08648599ece9b1
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB