Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 13:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    b25ec0de1bbd8453c78b8cc55203b741

  • SHA1

    0d04b0ff7267e22d2bbc273f83c1b5757960ac74

  • SHA256

    f3f02279a9ad82bb01021f1a132b8caac611f8d0ef18345d6d53674d7535049c

  • SHA512

    9baa2f68aa4a0565ae83b6131d2d4dd03c4a3a61bc106d356dbf4ada49bb47078472d4f85a128044921156d13b0e8f309e4035271b52741a452ec2fc4170eaa0

  • SSDEEP

    24576:xAxHJofJnIU75SIJVhEngJVvHYb75N/myAsaTaj4Wd7JVZVZWkda0bdURI5KtY:xYHJuaw5xhI1pND4GzzZ3lxURIIW

Score
10/10
amadeyredlinestealcdefaultfed3aalivetrafficcredential_accessdiscoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

C2

95.179.163.21:29257

Extracted

Family

stealc

Botnet

default

C2

http://185.215.113.17

Attributes
  • url_path

    /2fb6c2cc8dce150a.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 11 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2764
      • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 64
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2092
      • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2140

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
          Filesize

          323KB

          MD5

          d6fca3cd57293390ccf9d2bc83662dda

          SHA1

          94496d01aa91e981846299eeac5631ab8b8c4a93

          SHA256

          74e0bf30c9107fa716920c878521037db3ca4eeda5c14d745a2459eb14d1190e

          SHA512

          3990a61000c7dad33e75ce1ca670f5a7b66c0ce1215997dccfca5d4163fedfc7b736bca01c2f1064b0c780eccb039dd0de6be001c87399c1d69da0f456db2a8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
          Filesize

          1.4MB

          MD5

          04e90b2cf273efb3f6895cfcef1e59ba

          SHA1

          79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

          SHA256

          e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

          SHA512

          72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe
          Filesize

          320KB

          MD5

          0e273db4968b622b6795b24fc6cdd99f

          SHA1

          898c24dfcd980a27366f5f7980b353f1a44268f7

          SHA256

          278bd7ec26d05e56a61dbbcf86e970f067cc2558249058221532a42dba2dc41f

          SHA512

          a0e5409d27fe70624a3d32a81569ab196d1b1e439d8024a5508504845ed1236837de04dd662d2793c27b129e79fa0c4505e96210346ab96f2a448b2f3c44d551

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
          Filesize

          187KB

          MD5

          e78239a5b0223499bed12a752b893cad

          SHA1

          a429b46db791f433180ae4993ebb656d2f9393a4

          SHA256

          80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

          SHA512

          cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TmpABAB.tmp
          Filesize

          2KB

          MD5

          1420d30f964eac2c85b2ccfe968eebce

          SHA1

          bdf9a6876578a3e38079c4f8cf5d6c79687ad750

          SHA256

          f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

          SHA512

          6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

          Download Submit

        • \ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • \ProgramData\nss3.dll
          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

          Download Submit

        • \Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          Filesize

          1.8MB

          MD5

          b25ec0de1bbd8453c78b8cc55203b741

          SHA1

          0d04b0ff7267e22d2bbc273f83c1b5757960ac74

          SHA256

          f3f02279a9ad82bb01021f1a132b8caac611f8d0ef18345d6d53674d7535049c

          SHA512

          9baa2f68aa4a0565ae83b6131d2d4dd03c4a3a61bc106d356dbf4ada49bb47078472d4f85a128044921156d13b0e8f309e4035271b52741a452ec2fc4170eaa0

          Download Submit

        • memory/1700-14-0x0000000000850000-0x0000000000CF5000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1700-15-0x0000000006CE0000-0x0000000007185000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1700-0-0x0000000000850000-0x0000000000CF5000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1700-4-0x0000000000850000-0x0000000000CF5000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1700-3-0x0000000000850000-0x0000000000CF5000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1700-2-0x0000000000851000-0x000000000087F000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1700-1-0x00000000772D0000-0x00000000772D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2140-183-0x00000000012C0000-0x0000000001503000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2140-128-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2140-124-0x00000000012C0000-0x0000000001503000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2468-21-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-93-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-17-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-19-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-18-0x00000000001A1000-0x00000000001CF000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-160-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-156-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-80-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-84-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-87-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-88-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-89-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-90-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-91-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-92-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-22-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-126-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-104-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-105-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-125-0x00000000001A0000-0x0000000000645000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2468-122-0x0000000006380000-0x00000000065C3000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2468-123-0x0000000006380000-0x00000000065C3000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2764-39-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2764-45-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2764-43-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2764-48-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2764-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2764-49-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2764-50-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2764-41-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/3052-37-0x00000000000A0000-0x00000000000F4000-memory.dmp

          Filesize

          336KB

          Download