Overview

overview

10

Static

static

3

6eb59c4f67...4a.exe

windows7-x64

10

6eb59c4f67...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 01:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe

  • Size

    1.8MB

  • MD5

    3bcdaf8aa8a6f0ca2f613c8c14bc5a6e

  • SHA1

    14e7cff2628e339009821bdb95673a40299149d0

  • SHA256

    6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

  • SHA512

    d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

  • SSDEEP

    49152:GQlomvjK2/8k6ZJ8EBHJGCHONwoFCRUUoYk32nOg:15vjak6z84uszoYkGl

Score
10/10
amadeystealcc7817dravediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe
    "C:\Users\Admin\AppData\Local\Temp\6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe
        "C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
      • C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe
        "C:\Users\Admin\AppData\Local\Temp\1000030001\075a7c4892.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:316
      • C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe
        "C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:652

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1000040001\d725f2ec79.exe
          Filesize

          896KB

          MD5

          6ca9ba147fcf085d7f828da983fd946f

          SHA1

          e7fedc40f0cbbe1ba28d52b4c25d2840a0004002

          SHA256

          df465e0e7a01e93a8ed0f4a96fcba84506e0789f329fac2419d17f65bd1749c8

          SHA512

          626c5f47f2da8bfcd805d0fb510beb1800359596b304a90afdbc2f7d381c2df42751f3659b12c30d4e430c6e46ee1ef9be2c2d1a6779dac13399d7511b2121f0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\1000026000\8cb3f97d28.exe
          Filesize

          1.7MB

          MD5

          582c09e30698672fd833e6e6c0dc506e

          SHA1

          37dafeb7ea62e155ff3f2d47f84011b24ef8ba2b

          SHA256

          99e3eaac03d77c6b24ebd5a17326ba051788d58f1f1d4aa6871310419a85d8af

          SHA512

          495525e62560e397c0bef9c7f17358c08547c34930e772c8e59476ec50b7196eac28a0cbba83d0d90ebcc4282e210e0d140292cf4bfd52262cba45e2a9d6a1c9

          Download Submit

        • \Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
          Filesize

          1.8MB

          MD5

          3bcdaf8aa8a6f0ca2f613c8c14bc5a6e

          SHA1

          14e7cff2628e339009821bdb95673a40299149d0

          SHA256

          6eb59c4f674dca8834a2e617632dce7fd0be64ab01297e016b424d04b0b0054a

          SHA512

          d4f38ebb5e8684ab8d267cbef2c2a227238636409cc41b03fa767e3ba83f324db47e93543dfdde302fa72847b728f4ba93aae10d58670efe0ada9ed051941579

          Download Submit

        • memory/316-82-0x0000000001350000-0x00000000019B6000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/316-62-0x0000000001350000-0x00000000019B6000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/1548-40-0x00000000009A0000-0x0000000001006000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/1548-64-0x00000000009A0000-0x0000000001006000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/1708-3-0x0000000000BB0000-0x0000000001062000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1708-16-0x0000000000BB0000-0x0000000001062000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1708-14-0x0000000007130000-0x00000000075E2000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1708-4-0x0000000000BB0000-0x0000000001062000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1708-0-0x0000000000BB0000-0x0000000001062000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/1708-2-0x0000000000BB1000-0x0000000000BDF000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1708-1-0x00000000770E0000-0x00000000770E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2732-61-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-17-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-38-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-58-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-60-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-39-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-21-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-59-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-19-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-18-0x0000000000DC1000-0x0000000000DEF000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2732-79-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-80-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-81-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-41-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-83-0x00000000068C0000-0x0000000006F26000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/2732-84-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-85-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-86-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-87-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-88-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-89-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-90-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-91-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-92-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-93-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-94-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-95-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/2732-96-0x0000000000DC0000-0x0000000001272000-memory.dmp

          Filesize

          4.7MB

          Download