Malware Analysis Report

2024-10-19 02:39

Sample ID 240907-ye1vsstekb
Target 2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759
SHA256 2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759
Tags
amadey cryptbot redline stealc default2 fed3aa livetraffic credential_access discovery evasion infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759

Threat Level: Known bad

The file 2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759 was found to be: Known bad.

Malicious Activity Summary

amadey cryptbot redline stealc default2 fed3aa livetraffic credential_access discovery evasion infostealer spyware stealer trojan

Stealc

Amadey

RedLine payload

RedLine

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-07 19:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-07 19:42

Reported

2024-09-07 19:45

Platform

win7-20240903-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe"

Signatures

Amadey

trojan amadey

CryptBot

spyware stealer cryptbot

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2232 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2788 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2788 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2788 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2788 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2964 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2788 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2788 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2788 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2788 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2808 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2788 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2788 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2788 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2788 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe
PID 2712 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe

"C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe

"C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
DE 95.179.250.45:26212 tcp
RU 185.215.113.16:80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 stagingbyvdveen.com udp
RU 185.215.113.17:80 185.215.113.17 tcp
US 154.216.17.216:80 154.216.17.216 tcp
US 8.8.8.8:53 sevtv17sb.top udp
RU 194.87.248.136:80 sevtv17sb.top tcp

Files

memory/2232-0-0x0000000000310000-0x00000000007B8000-memory.dmp

memory/2232-1-0x0000000077310000-0x0000000077312000-memory.dmp

memory/2232-2-0x0000000000311000-0x000000000033F000-memory.dmp

memory/2232-3-0x0000000000310000-0x00000000007B8000-memory.dmp

memory/2232-5-0x0000000000310000-0x00000000007B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 595516c099c878806dfc7202830f2a20
SHA1 d34038346aa80263f2113c6f291e4dd370a100ae
SHA256 2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759
SHA512 47c282b3a642b84e8d0eeb719c8264a834ba7818f76b0881057e4742c0be6080a4924094f38bb432d94acda6e4aeb0dec16794ff8cfb25420e5e675770fecf3a

memory/2232-15-0x0000000006D40000-0x00000000071E8000-memory.dmp

memory/2232-14-0x0000000000310000-0x00000000007B8000-memory.dmp

memory/2788-17-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-18-0x0000000000D41000-0x0000000000D6F000-memory.dmp

memory/2788-19-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-21-0x0000000000D40000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 2d647cf43622ed10b6d733bb5f048fc3
SHA1 6b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA256 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA512 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a

memory/2964-36-0x0000000000220000-0x0000000000274000-memory.dmp

memory/1440-40-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1440-47-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1440-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1440-44-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1440-38-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1440-42-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1440-48-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1440-49-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp90CC.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2788-63-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-64-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-66-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-69-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-70-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-71-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-72-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-73-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-74-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-75-0x0000000000D40000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 478fe6521a95585b7621570dadccc74f
SHA1 223030cef2e1aaa5b5daab988d6e47a462e54dd9
SHA256 b570faccd6511e1eecd696c6a488f06fd1d1e1ccea92644a6c3dcac40a2cf9ff
SHA512 db04daabf4a97f7065eca61cc7334056908b6761c771ae86a1edfe0accdd2f3ec37455393c8f84e3ca4d991a8ca465fbc912cc3dd73131bc54a7438fe6bbbbd7

memory/2788-86-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-87-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2788-88-0x0000000000D40000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/2788-113-0x0000000000D40000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/2944-132-0x00000000012C0000-0x0000000001503000-memory.dmp

memory/2788-131-0x0000000006500000-0x0000000006743000-memory.dmp

memory/2788-129-0x0000000006500000-0x0000000006743000-memory.dmp

memory/2788-133-0x0000000000D40000-0x00000000011E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe

MD5 f7f25eb4fb89302ddfc596ad4dfb2907
SHA1 0a6f2cffb64eef1b4f698427bd3144fb2c679f63
SHA256 c56917c40623e6f97fb1168b7586d3434b3ba23e0ddaa40ebe455ff7ab7db2ff
SHA512 27fdbf978393f1d41c13f36e9ce5dff79b332d9039207d21e1b6fedd7a13f42dc30cd5f06096d8cd29fb7cd97243fbb6da77abe5842cbf018ecbe0a18a23f951

memory/2788-150-0x0000000000D40000-0x00000000011E8000-memory.dmp

memory/2544-151-0x0000000000400000-0x000000000106F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-07 19:42

Reported

2024-09-07 19:45

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4448 set thread context of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1956 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 1956 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2364 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2364 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2364 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2364 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2364 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2364 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 4092 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 4092 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 4092 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2364 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2364 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2364 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe

"C:\Users\Admin\AppData\Local\Temp\2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 117.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 95.179.250.45:26212 tcp
US 8.8.8.8:53 45.250.179.95.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp

Files

memory/1956-0-0x0000000000B80000-0x0000000001028000-memory.dmp

memory/1956-1-0x00000000775E4000-0x00000000775E6000-memory.dmp

memory/1956-2-0x0000000000B81000-0x0000000000BAF000-memory.dmp

memory/1956-3-0x0000000000B80000-0x0000000001028000-memory.dmp

memory/1956-4-0x0000000000B80000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 595516c099c878806dfc7202830f2a20
SHA1 d34038346aa80263f2113c6f291e4dd370a100ae
SHA256 2021369193d03e836430c3bf64c7fc65cd45f517bfb1415619e4893218b9a759
SHA512 47c282b3a642b84e8d0eeb719c8264a834ba7818f76b0881057e4742c0be6080a4924094f38bb432d94acda6e4aeb0dec16794ff8cfb25420e5e675770fecf3a

memory/2364-16-0x0000000000470000-0x0000000000918000-memory.dmp

memory/1956-18-0x0000000000B80000-0x0000000001028000-memory.dmp

memory/2364-19-0x0000000000471000-0x000000000049F000-memory.dmp

memory/2364-20-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-21-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-22-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-23-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-24-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4104-26-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4104-27-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4104-28-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4104-30-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-31-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-32-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-33-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-34-0x0000000000470000-0x0000000000918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 2d647cf43622ed10b6d733bb5f048fc3
SHA1 6b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA256 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA512 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a

memory/4448-55-0x0000000000EA0000-0x0000000000EF4000-memory.dmp

memory/2368-57-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2368-59-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/2368-60-0x0000000005780000-0x0000000005812000-memory.dmp

memory/2368-61-0x0000000005950000-0x000000000595A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6ED2.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2368-79-0x0000000006520000-0x0000000006596000-memory.dmp

memory/2364-78-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2368-80-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

memory/2368-83-0x0000000007670000-0x0000000007C88000-memory.dmp

memory/2368-84-0x0000000008EF0000-0x0000000008FFA000-memory.dmp

memory/2368-85-0x0000000007570000-0x0000000007582000-memory.dmp

memory/2368-86-0x00000000075D0000-0x000000000760C000-memory.dmp

memory/2368-87-0x0000000007610000-0x000000000765C000-memory.dmp

memory/2368-88-0x00000000098E0000-0x0000000009946000-memory.dmp

memory/2364-91-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2464-94-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2368-93-0x0000000009E60000-0x000000000A022000-memory.dmp

memory/2368-95-0x000000000A560000-0x000000000AA8C000-memory.dmp

memory/2464-96-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-97-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-98-0x0000000000470000-0x0000000000918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 c65ce410fa999e3e75be028e5eb961ea
SHA1 48e0a61b117e5439db8467600a12f6c260f1fb35
SHA256 e486590f1d601fada43972b9fd5554a3696b317f993ffdc06a0633234897ce35
SHA512 3844a4bd6e1f85c2f3b5c9a7b58d561b55fd415ffe397a5a12130f92bbb3f03cc8c05fd8ea243247189ea6436797c474a1ad204f30c2b9d6ad89fcaefa7a8959

memory/2364-113-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-114-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2368-115-0x0000000005BB0000-0x0000000005C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/4824-157-0x0000000000C70000-0x0000000000EB3000-memory.dmp

memory/2364-158-0x0000000000470000-0x0000000000918000-memory.dmp

memory/2364-159-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4864-162-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4864-163-0x0000000000470000-0x0000000000918000-memory.dmp

memory/4824-164-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2364-197-0x0000000000470000-0x0000000000918000-memory.dmp