Malware Analysis Report

2024-11-30 22:00

Sample ID 240705-t2j4ca1gnp
Target 7ad17f11aa6b1408999981b11078d674.exe
SHA256 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616

Threat Level: Known bad

The file 7ad17f11aa6b1408999981b11078d674.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Identifies Wine through registry keys

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 16:33

Reported

2024-07-05 16:35

Platform

win7-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5305DA01-3AEC-11EF-AEC5-4605CC5911A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426359085" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000e02263cedd89a1abfbe19d8c6114dd7438369bf21fa61d5b0accc710a45e4ce6000000000e80000000020000200000006fbfdaa029acb2ca8832933794ac82852203fe335323cbf2945b055b5a8b15cf20000000b4631b068a4ecd62239ec236ac1c447f9a17a35ad8d7a9e7dcf10c9e7d97377440000000a047c5ecdfeba3c151c2f225d31795b3654a30552a2b7c2b81ff2eda6261a70c6f4f13747c36f282c273c05ee3df6ebf977ca04331310dba28331dd5393d3557 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b34829f9ceda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000001ac92c35be692442738d712d190470022738ee75a513cf39e00c085a14720058000000000e8000000002000020000000f81606dce5b1658e06a1536a0ef7cb5208b2bab606567d8bd2ed4d2ca8c2be489000000052c14deab568264bc5497804dc6416b3d73adafd386a48e4ea2a818770b0e72327e0963af674a6c2618d34e8de77978b4f331987e0fb85394d15f1870cb329d8507c9dc33c3faf84fc805c203c7dfb67c89b829bd6b19be10071030f1e17e8584906814754c4acdf3a96363e37b0eda7150e95d1457e96b3d414dd3da696fc5e89db10616c0d525705ee1fc39fa2c86340000000751e27c1b1f9c06cf165e52a991be73d89d9b4b383e67045a89674f9b503abc4541dbf0f076a2cc37bf5f5b88adb74e0942dc41c2f72a0ad5d14a1ee761eadc1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe
PID 1556 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe
PID 1556 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe
PID 1556 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2768 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2396 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe
PID 2396 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe
PID 2396 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe
PID 2396 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe
PID 2396 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3032 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe

"C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJKJJEGIDB.exe"

C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe

"C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\3269fdf7d1.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1876-0-0x0000000000A90000-0x000000000167C000-memory.dmp

memory/1876-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1876-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1876-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1876-65-0x0000000000A90000-0x000000000167C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HIEHDAFHDH.exe

MD5 fa6419e8f5a6bee481357f2a1f40efeb
SHA1 666ca974b3918ca19323fe9813a14cb4790f028f
SHA256 9b428357147e9b84f035527c1308870147a2930027e20531df19429545f06421
SHA512 862feebede8863728cc3d34b48c0d3acea31279e96c39957a8b4e84f7d771ce65c7620a6fbeb80dd2e8c0bc9d6117e8d6ac63afeac3d0d0b89e28a48e1dc5dfa

memory/2768-82-0x0000000000030000-0x00000000004E8000-memory.dmp

memory/1556-81-0x0000000001D00000-0x00000000021B8000-memory.dmp

memory/1484-108-0x00000000000D0000-0x00000000001D0000-memory.dmp

memory/1484-107-0x00000000000D0000-0x00000000001D0000-memory.dmp

memory/2768-119-0x00000000064C0000-0x0000000006978000-memory.dmp

memory/2768-121-0x0000000000030000-0x00000000004E8000-memory.dmp

memory/2396-122-0x00000000012B0000-0x0000000001768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\10b7135ac8.exe

MD5 7ad17f11aa6b1408999981b11078d674
SHA1 57a4856e4db83685852d7c6037bb1bbde4793415
SHA256 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616
SHA512 06f7dbbe0fbba7615742840c5aa0e77f87bca47eb85bc5d5b33d5785d76e9a705e4d6ce0e068f43f45986405dcaf7171dfd6bd2bbd832e2eced0032ab4695e65

memory/2396-139-0x00000000065F0000-0x00000000071DC000-memory.dmp

memory/2396-141-0x00000000065F0000-0x00000000071DC000-memory.dmp

memory/2208-142-0x00000000009A0000-0x000000000158C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\3269fdf7d1.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2208-159-0x00000000009A0000-0x000000000158C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/2396-234-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-235-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-236-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-237-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-238-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-239-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-240-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-241-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-242-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-243-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-244-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-245-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-246-0x00000000012B0000-0x0000000001768000-memory.dmp

memory/2396-247-0x00000000012B0000-0x0000000001768000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 16:33

Reported

2024-07-05 16:35

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 4932 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe
PID 1284 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe
PID 1284 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe
PID 4128 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4128 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 4128 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe

"C:\Users\Admin\AppData\Local\Temp\7ad17f11aa6b1408999981b11078d674.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJEGHJECFC.exe"

C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe

"C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4932-0-0x00000000006D0000-0x00000000012BC000-memory.dmp

memory/4932-1-0x000000007EDA0000-0x000000007F171000-memory.dmp

memory/4932-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4932-79-0x000000007EDA0000-0x000000007F171000-memory.dmp

memory/4932-78-0x00000000006D0000-0x00000000012BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HDBKFHIJKJ.exe

MD5 fa6419e8f5a6bee481357f2a1f40efeb
SHA1 666ca974b3918ca19323fe9813a14cb4790f028f
SHA256 9b428357147e9b84f035527c1308870147a2930027e20531df19429545f06421
SHA512 862feebede8863728cc3d34b48c0d3acea31279e96c39957a8b4e84f7d771ce65c7620a6fbeb80dd2e8c0bc9d6117e8d6ac63afeac3d0d0b89e28a48e1dc5dfa

memory/4128-83-0x0000000000B90000-0x0000000001048000-memory.dmp

memory/4128-96-0x0000000000B90000-0x0000000001048000-memory.dmp

memory/3400-97-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-98-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-99-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-100-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3848-102-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3848-104-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-105-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-106-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-107-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-108-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-109-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-110-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3636-112-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3636-113-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-114-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-115-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-116-0x0000000000560000-0x0000000000A18000-memory.dmp

memory/3400-117-0x0000000000560000-0x0000000000A18000-memory.dmp