Analysis
-
max time kernel
89s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
26-06-2024 01:08
General
-
Target
2e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73.exe
-
Size
2.4MB
-
MD5
26a77a61fb964d82c815da952ebedb23
-
SHA1
8d9100fcc2e55df7c20954d459c1a6c5861228a1
-
SHA256
2e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73
-
SHA512
793a6dcd9d3eae88b25a24895f0cf2b23060e8b59788b0bbf357a8fd7df0f536301912dcdd8c2ccf08313f89322a350c5bbc0bdce08a44bedd862cf8d421ab9a
-
SSDEEP
49152:6ia4dCxGEzut9XYlu2fFNwLTxiYumd7Q/BFEUS2NbUd2Tb1:fKEEze9Uu2f8/cLmdcPSqbUdch
Malware Config
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Detect binaries embedding considerable number of MFA browser extension IDs. 1 IoCs
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 9 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 48 IoCs
-
Suspicious use of SendNotifyMessage 43 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73.exe"C:\Users\Admin\AppData\Local\Temp\2e1662bc8b93a8cea652f916afa628ce5646e3b62d15cf584188f7df066dca73.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDAKJJDBGC.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JDAKJJDBGC.exe"C:\Users\Admin\AppData\Local\Temp\JDAKJJDBGC.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\3a983f4959.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\3a983f4959.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\e08628efd7.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\e08628efd7.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7029758,0x7fef7029768,0x7fef70297787⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:27⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2332 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1132 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:27⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2208 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 --field-trial-handle=1304,i,11268568318858232085,1194852497570523722,131072 /prefetch:87⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\num.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDHJKKFBAE.exe"2⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD5f9371c1d60f77f5045cdf04439d04c11
SHA1b6d88c4d3b1137f59058639f2f034d59738a5008
SHA256603aaab0cf1673b1a04e5ddf79659d0719bee00a5f9e6737db245c143ccf332c
SHA512af205aa13ff76d00aa670c9f66e4c791d303c6aa1b5f3087305e1e7135a30f1fd317d0c5a7dd360721aac383ab7aac84063d8d89b3fa0c177236d30b7cc8fc3e
-
Filesize
6KB
MD57c361d44acf29a3e42ff121db760c454
SHA144ecf6e78b49821e08f75d2c220c14a44038e78d
SHA256d44c853fc84723f68dd6f39f8a9b775d1517df83ba1f1d96a8984fb7df81d13f
SHA5129494ed574a2255de5deec55b89381b521caf8f22ccd17d5d75ca58f6e295dca3e343056f6dbb28e308f17988d79bbcaf97898226e252233bc44160ce3a422352
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
2.3MB
MD56de1f49c539ba179be15afd803315274
SHA1f8502f01c4c71fc503ae0364723a4adf34da97ac
SHA256468f2d614362695689dd1d68f76fa6178dad5a267b4f3815bc87a68b16c22fa6
SHA51236e1d8691d824ef46b72fdcc7428f1d8714aae15840aab06af41e7aab49afcf79164aa8cc8e5034bae54db3434d516428008b1cd092155736eb89dc12ae89e98
-
Filesize
2.3MB
MD5c50e8f81aaec67d352801de3c7c02247
SHA1459bcd05d8b5bf72668e69d984197ef281e8dafc
SHA2564724b7d6ee30a4b79a06ea48edc7483ba3667c62182388047c52b58a9b5776fd
SHA51221b9ed60298e16cd0aaf96f17d0790252b66acdddff80ecf7d9490f18d59c3890e97eb4beb8e440df50d1e64b77cda5b1c619e2292354e17b4e97ee92f462a28
-
Filesize
2.4MB
MD5e3cbb274e66e95a1b7ee5c05d87abbd5
SHA193d96f3d0b6e5d13242c88af9dc9648cbc60fd0b
SHA256e6c76393ad6b5516ed6e84adbd0687f981bf3c419e99d9c235a6948e63d383d4
SHA5128fe240992730512b3647140cdc14ee37a94c4b3154b787460bd1a30d99053e48d2e5fb20ac6342b0ec2a36c998d78df22d9f81ee9e49cd303ad8b6ea51757c76
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5fd33c5a6ec043a22780094069ecd4f90
SHA12716ddb4df3dbe2c859b5e1dd1b29d1ff7583012
SHA2561e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c
SHA5125544cfe5f7b6ab87c5b5141834d251d0b78993e9b25aa3a8d709cb85192cd9af4c30e23ea46df362b1855e01eb0b06761a66b6a9c2af168ec13ecd0bdf1f40a0
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
3.8MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
972KB
-
Filesize
3.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
4.8MB
-
Filesize
5.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
5.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.4MB
-
Filesize
4.8MB
-
Filesize
5.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB