Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
07/08/2024, 01:22
General
-
Target
400c2e1e4df55d79e8df9dae523e969c5cc005782012732c8e57babe63fc9240.exe
-
Size
1.8MB
-
MD5
c3675e31f1618e7fa33b1aa6a16f1f83
-
SHA1
a759529be3c61c3e13f68ab46e85f4fe4b431fd3
-
SHA256
400c2e1e4df55d79e8df9dae523e969c5cc005782012732c8e57babe63fc9240
-
SHA512
1acdaf8d3cc4684af47c7814832e2213732cac4a4322e34c363f7ac108815f08376248f689e0d3a4f341f33eb1e7139133210859ebafc946931b31989c88e6e1
-
SSDEEP
24576:iZf4O7YwDB2+xUxM36AvYVUcDZjAp05dJiI0t5PKKHn7AxysCWnLCY5p2NVI:axtB2+xUi6VUcddiPL1sYQL75kb
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
default
http://185.215.113.24
-
url_path
/e2b1563c6670f193.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Stealc
Stealc is an infostealer written in C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\400c2e1e4df55d79e8df9dae523e969c5cc005782012732c8e57babe63fc9240.exe"C:\Users\Admin\AppData\Local\Temp\400c2e1e4df55d79e8df9dae523e969c5cc005782012732c8e57babe63fc9240.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000036001\c3604cb49f.exe"C:\Users\Admin\AppData\Local\Temp\1000036001\c3604cb49f.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.0.1422264250\356033563" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb99cd34-e520-463c-b51c-275145f27ce2} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 1300 108f9f58 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.1.325713569\457595033" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd39976e-5d76-4723-aee8-c0fd29e47c15} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 1504 e72458 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.2.1859056824\1757851" -childID 1 -isForBrowser -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 700 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25ea7c07-c8dc-476e-96b2-308358172321} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 2352 19080658 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.3.1359903569\2062209927" -childID 2 -isForBrowser -prefsHandle 2644 -prefMapHandle 2640 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 700 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd330f8a-45fd-43f8-803d-87c9555c490f} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 2660 e64858 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.4.1323477111\225191749" -childID 3 -isForBrowser -prefsHandle 3924 -prefMapHandle 3920 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 700 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e736699-1a10-4641-ab59-fc2c5b3def6b} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 3936 1bf25358 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.5.624104300\1713016278" -childID 4 -isForBrowser -prefsHandle 4000 -prefMapHandle 4076 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 700 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34b04bce-83d3-43d0-85e7-f57fae5d97b1} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 3924 1f546c58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.6.1383383385\456398253" -childID 5 -isForBrowser -prefsHandle 4216 -prefMapHandle 4220 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 700 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fcdebb-fc67-4584-992e-799a0834ea9d} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 4208 1f544e58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.7.2001688913\1319543655" -childID 6 -isForBrowser -prefsHandle 4392 -prefMapHandle 4396 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 700 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e1afb9-c09f-425b-8665-4325fcd5012d} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 4384 1f545a58 tab6⤵
-
-
-
-
-
C:\Users\Admin\1000037002\df3d11bf83.exe"C:\Users\Admin\1000037002\df3d11bf83.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\1000038001\bb05d06511.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\bb05d06511.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5167830f4197c880d66cd4ac20bbdd09b
SHA1fbceddc1a403753b7df7095f32b10ce3495e8dec
SHA2565ec452552f4dca04c201b9b393d0d4ed8ad105bd4a91fc08b11af404bc5d669e
SHA512cd72492993104e5c0cae4e4ea85be349ba8394f47391d98ead36d79ce2e94cf7451dab40d64b41b7a7aec4f9bad343ca7deede9897b78584f5c895ae061d86b5
-
Filesize
28KB
MD562f12a66d8c9ad517af373f8b8307393
SHA167dd098c09fc44747f1082eefa7414ade509c370
SHA256ca3b4e29e1d3154030717d50e8e4676f38375c45486d0b00a94f5fa6fe6610cc
SHA5126e75f32b5f9cb211dfb72ef9a2c2a3732a396855f476ffc99f3c33f80b1b12a4142e5494cfc19722abb7a091db34a5bc6423c554ffbef0a5854d0f85cebf956b
-
Filesize
1.8MB
MD5c3675e31f1618e7fa33b1aa6a16f1f83
SHA1a759529be3c61c3e13f68ab46e85f4fe4b431fd3
SHA256400c2e1e4df55d79e8df9dae523e969c5cc005782012732c8e57babe63fc9240
SHA5121acdaf8d3cc4684af47c7814832e2213732cac4a4322e34c363f7ac108815f08376248f689e0d3a4f341f33eb1e7139133210859ebafc946931b31989c88e6e1
-
Filesize
3.1MB
MD523741c83a3d91e333748af0be9610d53
SHA1fb2488c41945b7d8b37c3f9595939bf0549f9699
SHA256651de3d9c47e59eadb563daea14ee8bda60160cc514d03b00a32ddb29716e8d9
SHA5124450a4b17a762dcdc1b3cb1e32e6ff545f55234f333940c4bb5b158bc0cb9d2f45436bbda61c61d55cee8556f29d6b59b95d5b08120a4be50fe419772c4843cd
-
Filesize
187KB
MD559eefb04a8cb9a94d148464cd4324e93
SHA1e1e550383c9de11d18bb6cb5b8d83f62f51340bb
SHA256d9798bda5b0cd389f0b0f184ded085cded77a8652d96be4054789452b2a04ca5
SHA5127e5ee340188a83055311e9dde5c6bad8798899447281c56b0e2741d247c540c3b936fc51ad795ef10ffc8a7a15f616aa46c747b33793e7ddceecdff310614e7d
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
9KB
MD5eeac7647d268df5542ce9fc18f40f497
SHA15b349a5b29bf5042f07755a69bbc8db543aed77b
SHA256c79d73c4129bb9c2303e88486ba593370a41d7e4436eb5dc8a956d7e65b70b3f
SHA51204cb4b3db144a6b494e11bd94daefcc4e9b342d5ac8d4816888c966f95f3c70517336cbb6048be9da05b96674eed4913c8f31d75c144ccab42688690b6a8fd7b
-
Filesize
733B
MD5409d2a138f32c7ac9a40cc47bea97287
SHA1edb37f846204a65839646ebe19571c247bc93505
SHA256477a85c8e6b433d871c12deb42429520d2d7a99590b8fecc063ada18d45787b6
SHA51206915ba411cd198befad7a95214d69f1c1a17383535e2e638faeb845d62b3a747b836d8177d4e0428db9297c034e1d391ee87557511b85a93abded1a073c3ce7
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5eac835fe753a53ceda74b9e6af467b8b
SHA1445e2a6c8fec570404de156d0df9248ab2168a69
SHA2566883306e16e908e8e8092ec8ea26278acec65fd3b45e7c78aa3f5a5eb281bf07
SHA5120dbc8969123c578cce9d1561282005e69a4819f57e6cba5ea45cfcabdd51f179d61ab69db3256cfb0de2a3f8c7ffd5d448b002b621b8109e3d8308afc11c3a8a
-
Filesize
7KB
MD5e761e5cf4e355a5dfa5bbedaa761b857
SHA1b619af23cb061f49bdaf8959a2025c9f98eee78f
SHA256745e36ae807975ef26edd8e3c5066c9ecf96b75ea02dfac3753c603bbf3266f2
SHA5126344e0bc7a68562b37cccf3bc98140ae85cadf908d6df19278995f26450d9c66a65471e42a710f0053b3f6cb04430f320a6bdd373bb6f25bb7dce68f71beeabc
-
Filesize
7KB
MD55355fde91fac4ed70865b4d22ebd75f2
SHA15b97ae0d2faa0a3912410db5047202421c8c828c
SHA256a6bc15b5d1c687231aff882dabb0f40fd931dd0c73f09c6e3c7a93e6ec2b4cf8
SHA5122c854da5b77557edd1d85b8b43ffbf9dad2b1bde16ee7759eab7efa847923bd83854fc5d75af51f065b8fefb5cc57abfd18aef1b3a7bb6df4cc3d774f5b58ef1
-
Filesize
4KB
MD5bcb6b7452acff549f581ed0010d4b790
SHA13a3cedead9c1c5bf1ef08f1703f8eb90d113d7d4
SHA256ff9e7831348e6153ea64b7e5976f3026a891b83e5c2ba347a50494e7f9517f82
SHA5128c0b83c66ee8822645fe022a53aa5de162cf03d4d4b5510b867a3b5347d6e41fa4c763f3d5a5f9c7014ec612351a65e3e548f4138df11be9c3cb0829f829ca41
-
Filesize
4KB
MD5b3af87b1d9d1e8bd24743891ebc32cc5
SHA12b3e3f5e4a2693900256651d37041d27f2a5aeb8
SHA256c8f9823196aeafc81f8ff7d5e2cb08df419b9450e720ffc098d0aa060af87d44
SHA512539fcdf2bfa74727bd185f4d923a1b26e4b4793851a6378fbd7477b215442b8d1192c0d35ef51d3f48005dfc9661ee23e726f95667d57d73f87d039bfb264353
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
12.0MB
-
Filesize
2.3MB
-
Filesize
12.0MB
-
Filesize
2.3MB
-
Filesize
10.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB