Malware Analysis Report

2024-10-19 02:39

Sample ID 240908-dasnea1cjj
Target d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
SHA256 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
Tags
amadey cryptbot redline stealc default2 fed3aa livetraffic credential_access discovery evasion infostealer spyware stealer trojan @cloudytteam
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994

Threat Level: Known bad

The file d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994 was found to be: Known bad.

Malicious Activity Summary

amadey cryptbot redline stealc default2 fed3aa livetraffic credential_access discovery evasion infostealer spyware stealer trojan @cloudytteam

RedLine

Amadey

CryptBot

RedLine payload

Stealc

Credentials from Password Stores: Credentials from Web Browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-08 02:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-08 02:48

Reported

2024-09-08 02:51

Platform

win7-20240903-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"

Signatures

Amadey

trojan amadey

CryptBot

spyware stealer cryptbot

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2288 set thread context of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2604 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2604 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2604 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2604 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2604 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2604 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2604 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 2604 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 1084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 1084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 2604 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2604 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2604 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2604 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 2724 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
PID 2724 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
PID 2724 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe
PID 2724 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe

"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe

"C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 752

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
DE 95.179.250.45:26212 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 stagingbyvdveen.com udp
US 154.216.17.216:80 154.216.17.216 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
RU 80.66.75.114:80 80.66.75.114 tcp
US 8.8.8.8:53 sevtv17sb.top udp
RU 194.87.248.136:80 sevtv17sb.top tcp

Files

memory/2668-0-0x0000000001290000-0x000000000174E000-memory.dmp

memory/2668-1-0x0000000077760000-0x0000000077762000-memory.dmp

memory/2668-2-0x0000000001291000-0x00000000012BF000-memory.dmp

memory/2668-3-0x0000000001290000-0x000000000174E000-memory.dmp

memory/2668-5-0x0000000001290000-0x000000000174E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 f005e9e79e6612060e1bc6eae1464d67
SHA1 7228dc896a4d86e6b44942eff7e6c082d8d0d195
SHA256 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
SHA512 609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea

memory/2668-16-0x0000000001290000-0x000000000174E000-memory.dmp

memory/2668-15-0x0000000001290000-0x000000000174E000-memory.dmp

memory/2604-17-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-18-0x0000000000061000-0x000000000008F000-memory.dmp

memory/2604-19-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-22-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-21-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-23-0x0000000000060000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 2d647cf43622ed10b6d733bb5f048fc3
SHA1 6b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA256 41426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA512 62400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a

memory/2288-38-0x0000000001090000-0x00000000010E4000-memory.dmp

memory/1612-46-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1612-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1612-49-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1612-44-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1612-43-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1612-40-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1612-51-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1612-50-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2604-55-0x0000000000060000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp7B39.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/2604-66-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-67-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-70-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-71-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-72-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-73-0x0000000000060000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 a4ee93c323711328498bf8ae0b7236c4
SHA1 d5a829a23b4e2348cd421ab452a81c952969eb74
SHA256 2d5ec657539284715528ef94598818d1ab009f88b5a83828438ea41603053df8
SHA512 f6b1335bb9080adf961b5c2bbd60c6aed98c754bed0c57a7307eca3f03d020399045fb5a7d8a86fe47d7547767a5aeaf2fb5261c098ce8e123b2d0b49d43960b

memory/2604-84-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-85-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-86-0x0000000000060000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/2604-111-0x0000000000060000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/2720-130-0x0000000000C90000-0x0000000000ED3000-memory.dmp

memory/2604-129-0x0000000006270000-0x00000000064B3000-memory.dmp

memory/2604-128-0x0000000006270000-0x00000000064B3000-memory.dmp

memory/2604-131-0x0000000000060000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe

MD5 5f1dffeff8714e88b493506256db8f8a
SHA1 d554da350b41da8556ce83ed851b975d2325a3d2
SHA256 e372a2d6ea5d76b0ffbccfa5b6574b910826fb5b5998e8e5cc4dcd49f6dffff0
SHA512 4bf57a4af1514111e301f8a1c8f3e2c145d078ba45a94edb71af6b1f9ca6dcfb3bd35d5114936f5c97ab4b1561b7b5afd4bfcc6d37b2f39b3aca0c96e0b28960

memory/2604-148-0x0000000000060000-0x000000000051E000-memory.dmp

memory/1904-149-0x0000000000400000-0x0000000001066000-memory.dmp

memory/2604-150-0x0000000000060000-0x000000000051E000-memory.dmp

memory/1904-151-0x0000000000400000-0x0000000001066000-memory.dmp

memory/2604-152-0x0000000000060000-0x000000000051E000-memory.dmp

memory/2604-157-0x0000000000060000-0x000000000051E000-memory.dmp

memory/1904-166-0x0000000000400000-0x0000000001066000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-08 02:48

Reported

2024-09-08 02:51

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"

Signatures

Amadey

trojan amadey

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3992 set thread context of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2540 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2540 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 3740 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3740 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3740 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2056 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe
PID 2056 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe
PID 2056 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe
PID 2056 wrote to memory of 4768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe
PID 2056 wrote to memory of 4768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe
PID 2056 wrote to memory of 4768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe
PID 3740 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 3740 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 3740 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
PID 4440 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 4440 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 4440 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
PID 3740 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 3740 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
PID 3740 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe

"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe

"C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe"

C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe

"C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.117:80 185.215.113.117 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 117.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 26.113.215.185.in-addr.arpa udp
FI 65.21.18.51:45580 tcp
US 8.8.8.8:53 51.18.21.65.in-addr.arpa udp
FI 95.216.107.53:12311 tcp
US 8.8.8.8:53 53.107.216.95.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
RU 185.215.113.26:80 185.215.113.26 tcp
US 8.8.8.8:53 stagingbyvdveen.com udp
RU 185.215.113.17:80 185.215.113.17 tcp
US 154.216.17.216:80 154.216.17.216 tcp
US 8.8.8.8:53 216.17.216.154.in-addr.arpa udp
US 8.8.8.8:53 17.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp
RU 80.66.75.114:80 80.66.75.114 tcp
US 8.8.8.8:53 114.75.66.80.in-addr.arpa udp

Files

memory/2540-0-0x0000000000A70000-0x0000000000F2E000-memory.dmp

memory/2540-1-0x0000000077274000-0x0000000077276000-memory.dmp

memory/2540-2-0x0000000000A71000-0x0000000000A9F000-memory.dmp

memory/2540-3-0x0000000000A70000-0x0000000000F2E000-memory.dmp

memory/2540-4-0x0000000000A70000-0x0000000000F2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 f005e9e79e6612060e1bc6eae1464d67
SHA1 7228dc896a4d86e6b44942eff7e6c082d8d0d195
SHA256 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
SHA512 609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea

memory/2540-16-0x0000000000A70000-0x0000000000F2E000-memory.dmp

memory/3740-17-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-19-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-18-0x0000000000021000-0x000000000004F000-memory.dmp

memory/3740-20-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-21-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-22-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-23-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-24-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/2668-26-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/2668-27-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/2668-28-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/2668-30-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-31-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-32-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-33-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-34-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-35-0x0000000000020000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

MD5 fb4b7dd5001e3e263c6c4db03c9df1fc
SHA1 f8454e5dbc716b85d89b3117aaa51751514c1801
SHA256 1016070be8c1c10cf9b4fe2b8bc374e0ad34d401fdb95c7b0ac2222b147d2d7c
SHA512 2d53daf42b07687e970c5fd96b61bdd57209dd31d3914d7ac86d5a356e5ba84af816275b01de8791ad3705f69057f8994e5cf2dd60c916e8bd58e5700d8bb2a7

memory/3740-50-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/4392-53-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-54-0x0000000000020000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

MD5 8e74497aff3b9d2ddb7e7f819dfc69ba
SHA1 1d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256 d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA512 9aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97

memory/3992-73-0x0000000000190000-0x00000000002A2000-memory.dmp

memory/2056-75-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2056-80-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2056-79-0x0000000000400000-0x000000000050D000-memory.dmp

memory/2056-77-0x0000000000400000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe

MD5 88367533c12315805c059e688e7cdfe9
SHA1 64a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256 c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA512 7a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714

C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe

MD5 30f46f4476cdc27691c7fdad1c255037
SHA1 b53415af5d01f8500881c06867a49a5825172e36
SHA256 3a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512 271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f

memory/2056-102-0x0000000000400000-0x000000000050D000-memory.dmp

memory/4768-104-0x0000000000940000-0x0000000000992000-memory.dmp

memory/4768-106-0x00000000058A0000-0x0000000005E44000-memory.dmp

memory/1612-105-0x0000000000010000-0x000000000009E000-memory.dmp

memory/4768-107-0x0000000005240000-0x00000000052D2000-memory.dmp

memory/4768-108-0x0000000005410000-0x000000000541A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp2800.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4768-125-0x0000000005ED0000-0x0000000005F46000-memory.dmp

memory/4768-126-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/4768-129-0x0000000006F10000-0x0000000007528000-memory.dmp

memory/4768-130-0x0000000006A60000-0x0000000006B6A000-memory.dmp

memory/4768-131-0x00000000069A0000-0x00000000069B2000-memory.dmp

memory/4768-132-0x0000000006A00000-0x0000000006A3C000-memory.dmp

memory/4768-133-0x0000000006B70000-0x0000000006BBC000-memory.dmp

memory/1612-134-0x00000000086E0000-0x0000000008746000-memory.dmp

memory/3740-135-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/1612-136-0x0000000009560000-0x0000000009722000-memory.dmp

memory/1612-137-0x0000000009C60000-0x000000000A18C000-memory.dmp

memory/4768-140-0x0000000006EB0000-0x0000000006F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe

MD5 f5d7b79ee6b6da6b50e536030bcc3b59
SHA1 751b555a8eede96d55395290f60adc43b28ba5e2
SHA256 2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512 532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

memory/3740-167-0x0000000000020000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 7a02aa17200aeac25a375f290a4b4c95
SHA1 7cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256 836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512 f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

memory/632-185-0x0000000000EE0000-0x0000000001123000-memory.dmp

memory/3740-186-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-187-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3740-188-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/3952-191-0x0000000000020000-0x00000000004DE000-memory.dmp

memory/632-192-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3740-208-0x0000000000020000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000026001\joffer2.exe

MD5 923af9aa015392afb0de83984c63800e
SHA1 b6f7676f5067fd107f75c8da413c62a1729c688a
SHA256 a1badc8aa494ac97273e81666ed109b9720c4e77fd931680e2a3bd8b1c3de4b7
SHA512 1882bc2f6f47b7cac1227a862c7b534343d133233a4bb33fd387d907e3267adb4760989c1e32f05abdb7b34228689228ec4a7090111838ca3341808ef2806f82