Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
24-07-2024 06:22
General
-
Target
73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3.exe
-
Size
1.8MB
-
MD5
b2c7ce6fe0d3fb9cd8b518258c085bde
-
SHA1
b8144cc4f366319c62dde4a6abb1eeaec368a41f
-
SHA256
73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3
-
SHA512
c15793c6c22c3996b015dee8f9d640b698f3d302225dae3312a1b0e7784bdcddbf1f88a0e5f437365d8a4f2e84262020b2ccccbdb9dc6599a8bd79537d2d7aee
-
SSDEEP
49152:+mMayu1j6bP+c9Uw5obU2lZTfQBkDaaDEeAfB4XxiI:3MDT+aUw2XykDareAfer
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
sila
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3.exe"C:\Users\Admin\AppData\Local\Temp\73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000021001\0f5d0068a3.exe"C:\Users\Admin\AppData\Local\Temp\1000021001\0f5d0068a3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 10964⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3036 -ip 30361⤵
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5ead5c20b175ebddfc294f19d276d9f5a
SHA1f74b6cecb5a68042dee54de356a2ab8ca9d7f622
SHA2567e559097f4e87c8e7d7850bf969e86fa556f090455318c79abc23514201f99d4
SHA5122ad1a7460b4937cae9702ef5c3c0195ebfea3a352dbc6d978da978120e546b5c1b63c12d0a0a3d16b2f960d168437f477431f7e51ad6e6a078920cdc37e09cce
-
Filesize
1.8MB
MD5b2c7ce6fe0d3fb9cd8b518258c085bde
SHA1b8144cc4f366319c62dde4a6abb1eeaec368a41f
SHA25673b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3
SHA512c15793c6c22c3996b015dee8f9d640b698f3d302225dae3312a1b0e7784bdcddbf1f88a0e5f437365d8a4f2e84262020b2ccccbdb9dc6599a8bd79537d2d7aee
-
Filesize
2.3MB
-
Filesize
1024KB
-
Filesize
192KB
-
Filesize
2.3MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB