Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
04-07-2024 10:27
General
-
Target
6294ab0c9c38f852221d0977bcd9b6fd8884eed85427a19dfc7ac0ab0bcd0ace.exe
-
Size
1.8MB
-
MD5
7b8c372faa91e9c2a360d344eb6a19f3
-
SHA1
0a6b77900620ce7d08e81ee7812e648b68667ec8
-
SHA256
6294ab0c9c38f852221d0977bcd9b6fd8884eed85427a19dfc7ac0ab0bcd0ace
-
SHA512
b0d660a592c725e605a4d726b3b48cd06a129e911bdfd1c0a4f6db8d347f425b08abdb766a0da569a0dff98512a9f56536030061ce52714d1c127bac16b7af05
-
SSDEEP
49152:g+CilFb+53oDhsrQsiXCkr/Ir+r9dDRJmcq3G:19O3oDhPCkr/ISdbq3
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6294ab0c9c38f852221d0977bcd9b6fd8884eed85427a19dfc7ac0ab0bcd0ace.exe"C:\Users\Admin\AppData\Local\Temp\6294ab0c9c38f852221d0977bcd9b6fd8884eed85427a19dfc7ac0ab0bcd0ace.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000006001\a078349417.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\a078349417.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEHJJECBKK.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\IEHJJECBKK.exe"C:\Users\Admin\AppData\Local\Temp\IEHJJECBKK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KECFCGHIDH.exe"4⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000007001\fc20849d1f.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\fc20849d1f.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd29ab58,0x7ffedd29ab68,0x7ffedd29ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1868,i,6780007949677476449,14046911428283984955,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
216B
MD56eeee1ac7f5638b1b61b98c7d00f7efa
SHA1c74ea68f88366476768199bd317edb03d2b567e4
SHA25643eacd0e89fa75a313709c053ba41a3359e1810c46df92f761af7403488e1ae2
SHA5126e0bd6b1e7389da9b633759219de20f4dc57d7fc7b89749edad9f5be1b9fd04b98a1f12b4639f6ab9a5d0ff18ef8d387f68a24c9bbf2c2affd7fc442b23382fa
-
Filesize
2KB
MD5fc77cab5522e9d5b7cd96d4e7e128fe1
SHA1b21fd2b8cb90d1269f4159e49c3d2d00108213eb
SHA256cffd7dfc2048c013594f49495cf71a0fb5f0e589b8a0f2e2579ce503ccd0603d
SHA512054d7ac829a453604a8a01228467c16bc6de246f677a8b597134c25da7995a46d0dc1022de93a0a807e9deea5d0e97c1bc4cf7fbfce5b1c04738a795d06fd462
-
Filesize
3KB
MD5c2ddd5d18647e2b930c89cdb72969d14
SHA1fdb4a02fa927a94686290abc180ad420dfd14653
SHA256aeb92b2ef5cf20a6b22bb7ad9174a52839da7f97217e22d7c86af50f981213a1
SHA512eb4780ad1f58471ba1f89bedff826bf0fa24000e433099cd278005f5dee10706ae97fb37bcaf3e42ae9978ed36c80236e4618758608f4584e14a3a5ec3acf188
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5044ae583b341a1f47c1025048962a653
SHA109589f3311448cfe3cdf79e1e7c4893e1f33bd4b
SHA256844fc044fe845bbb07244548c224cd05f4aeb9a263850f1cfe2b7720cd6f87b3
SHA512cab41bdf3358f9a209b301916fedbfe8ce1ca048c19b66a44f935388f8de2d29123fddc90cc7710594d39fe5e8900e6e21cce5ab37eb97686d1c1b5be943d4fb
-
Filesize
7KB
MD5a04d2fc39a2a42a19107d93cb1c9daba
SHA182e1ddf1c1258595c92cd21259d71c903f7a9a5f
SHA2567ca8fa7d0862ebea3e11372109ad0973c3249c0f2f17b4f48f37aabefb7d8e8a
SHA512a74d46120660f298f20eabfe911ced3527f5d9f30c42c126a3f0ffe8e19db0fced25e73a1807d190941f6adbdbb96b76a7c9be90e4e09296173a67206f2ea032
-
Filesize
16KB
MD56e4df22ca67eaea4dd3f8e836685581e
SHA17812709fcfbe634ebd2d9c39b5cb13a7620456c9
SHA25608f74671849ba9585a24936117dbdaf9f1bb88499aae3b5459d8ba2f0a63ce56
SHA512308ac64237e73c0992f6e064f0d0d3fc7c32b8d3e9b93d2c31a7c5866779cc8104e10b19c87938fd7502027f59b1ad5468210d80d3f01863c934d7596e33875d
-
Filesize
279KB
MD568b366b31b4de2e0431b4e17de23d58f
SHA110d09024cfc9e1b9e6d99dc48174bfbca195880a
SHA2567f471ae81f2c03c200a3fa98c4b640f2a1cbea059fb2cbe1b81c1ba9a3d00ae5
SHA51256252addd162af5465807681419c37a9bd32d492767bf2132778b3d41ebd81cc29b6ecd947cad2f1033c52bd54c4d36ba43674a16ffb8dc060737cb73ca01398
-
Filesize
2.4MB
MD5747f49b526a931e987825204c1473a27
SHA1d3c3b40dc5d8f3bfc71c7cd2be06e346ab694fdd
SHA2565e3cae26ee0d86cf2c2660baf9d0fc27227173cc8440a94abe5c85a698e0293f
SHA5122b62045a2e6c67916847f793562de04e51a4a9221304df322abd643e98cf0e45bfb4de090d701578cfe039e3a1d98bf2a957a54b74148b56ff0643fd31c1dab8
-
Filesize
1.1MB
MD5fa96bf6af3e182bfec30c757de22ac18
SHA158c94a9d2744f87c524fb0141722b8c4f6d35acf
SHA2562308dd1f426a877a66b8c1faeafb19ba8810a6d9b1c575dc2250ea53b72e4e2a
SHA51231d936954fbaf9ed5893b3698390196f650ea28dcfec3ca74b0669141940f531362be4c9577a0799776f72bb1b31e920c1b061a7f90c4b7413567a6254ff47ae
-
Filesize
1.8MB
MD57b8c372faa91e9c2a360d344eb6a19f3
SHA10a6b77900620ce7d08e81ee7812e648b68667ec8
SHA2566294ab0c9c38f852221d0977bcd9b6fd8884eed85427a19dfc7ac0ab0bcd0ace
SHA512b0d660a592c725e605a4d726b3b48cd06a129e911bdfd1c0a4f6db8d347f425b08abdb766a0da569a0dff98512a9f56536030061ce52714d1c127bac16b7af05
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
972KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB