Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 03:11

General

  • Target

    86428dd44549198730fd4dbcb1813e20N.exe

  • Size

    1.8MB

  • MD5

    86428dd44549198730fd4dbcb1813e20

  • SHA1

    835b9410650b1477b06063fe34a1e8025b6dacf6

  • SHA256

    15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8

  • SHA512

    0c0337ce954ec27fb290766fef9a2ae8bfc3eb8e0cf4486733ebc7d7846c57df15181198723d8c6b2c9bbe382f5271777aed6e7ad5bfb31f6cf065ff469e8cbe

  • SSDEEP

    49152:4q34XZCmyUbLYFQLNX3U1L/t6JnidewigXUPT/LOaGr:4qoX1HL6QLNU1Tt4nirigXUPTzOaG

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86428dd44549198730fd4dbcb1813e20N.exe
    "C:\Users\Admin\AppData\Local\Temp\86428dd44549198730fd4dbcb1813e20N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Roaming\1000041000\e0b9b45a23.exe
        "C:\Users\Admin\AppData\Roaming\1000041000\e0b9b45a23.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:752
      • C:\Users\Admin\AppData\Local\Temp\1000042001\e668b16c1c.exe
        "C:\Users\Admin\AppData\Local\Temp\1000042001\e668b16c1c.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1496
  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
    C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2936
  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
    C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

    Filesize

    1.8MB

    MD5

    86428dd44549198730fd4dbcb1813e20

    SHA1

    835b9410650b1477b06063fe34a1e8025b6dacf6

    SHA256

    15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8

    SHA512

    0c0337ce954ec27fb290766fef9a2ae8bfc3eb8e0cf4486733ebc7d7846c57df15181198723d8c6b2c9bbe382f5271777aed6e7ad5bfb31f6cf065ff469e8cbe

  • C:\Users\Admin\AppData\Roaming\1000041000\e0b9b45a23.exe

    Filesize

    1.7MB

    MD5

    087b03122f2a7c24af29a7c3e574fa39

    SHA1

    c15df128fdfa9e29dab7c6a272db1e5dbf4f4f7c

    SHA256

    e2a1770da6d6838de2454af91092c33eb7f2c933617422826e2a15240f967266

    SHA512

    edbb50946cf8ea8f1fd401556a390901f4e4c4114ef9097a1e8e44a9c29452894a1541085037f5098a8395d9097cff0c56869b6637c53f4bd3c9482fef725d5a

  • memory/752-57-0x0000000000330000-0x00000000009A1000-memory.dmp

    Filesize

    6.4MB

  • memory/752-47-0x0000000000330000-0x00000000009A1000-memory.dmp

    Filesize

    6.4MB

  • memory/752-46-0x0000000000330000-0x00000000009A1000-memory.dmp

    Filesize

    6.4MB

  • memory/752-37-0x0000000000330000-0x00000000009A1000-memory.dmp

    Filesize

    6.4MB

  • memory/1052-59-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-77-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-20-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-19-0x0000000000601000-0x000000000062F000-memory.dmp

    Filesize

    184KB

  • memory/1052-21-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-80-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-79-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-78-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-17-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-67-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-76-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-58-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-71-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-70-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-61-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-69-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-68-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1052-66-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/1188-2-0x0000000000321000-0x000000000034F000-memory.dmp

    Filesize

    184KB

  • memory/1188-0-0x0000000000320000-0x00000000007E0000-memory.dmp

    Filesize

    4.8MB

  • memory/1188-1-0x00000000773B4000-0x00000000773B6000-memory.dmp

    Filesize

    8KB

  • memory/1188-3-0x0000000000320000-0x00000000007E0000-memory.dmp

    Filesize

    4.8MB

  • memory/1188-5-0x0000000000320000-0x00000000007E0000-memory.dmp

    Filesize

    4.8MB

  • memory/1188-18-0x0000000000320000-0x00000000007E0000-memory.dmp

    Filesize

    4.8MB

  • memory/1496-65-0x0000000000360000-0x00000000009D1000-memory.dmp

    Filesize

    6.4MB

  • memory/1496-55-0x0000000000360000-0x00000000009D1000-memory.dmp

    Filesize

    6.4MB

  • memory/2936-64-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/2936-62-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/3344-73-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB

  • memory/3344-75-0x0000000000600000-0x0000000000AC0000-memory.dmp

    Filesize

    4.8MB