Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-11-2024 14:28
General
-
Target
b5801b7b20a9ad7d1acccd19e8dafe93cf131aeed1bc5f2756d6b69048f9dae8.exe
-
Size
1.8MB
-
MD5
d2a8b6cdfaf14a244d67ed5a6d4ef96b
-
SHA1
1e1e724ddbcd0e9a1bef3329fbf7a4bdf678fcd0
-
SHA256
b5801b7b20a9ad7d1acccd19e8dafe93cf131aeed1bc5f2756d6b69048f9dae8
-
SHA512
3278f33946775cedcaaa92431fc438c638bcf70db47ae5f8096cff3fdabad826d6bc32997ec459dac4d95d1e24ed383803ec5f8e97f8168c1d5d8575cc86a9fe
-
SSDEEP
49152:HrsIs20hN29fIuGt/GU7YyyxviJiUQxJ907xvqM07bLGNH:HrdsFN29fIXGuWxa5MJ9A
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
https://navygenerayk.store/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b5801b7b20a9ad7d1acccd19e8dafe93cf131aeed1bc5f2756d6b69048f9dae8.exe"C:\Users\Admin\AppData\Local\Temp\b5801b7b20a9ad7d1acccd19e8dafe93cf131aeed1bc5f2756d6b69048f9dae8.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1001791001\gdn5yfjd.exe"C:\Users\Admin\AppData\Local\Temp\1001791001\gdn5yfjd.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMQA3ADkAMQAwADAAMQBcAGcAZABuADUAeQBmAGoAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADAAMAAxADcAOQAxADAAMAAxAFwAZwBkAG4ANQB5AGYAagBkAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZAAuAGUAeABlAA==5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe"C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe"C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 2525⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001868001\8fd2b30fa9.exe"C:\Users\Admin\AppData\Local\Temp\1001868001\8fd2b30fa9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1001869001\0ffd919ed1.exe"C:\Users\Admin\AppData\Local\Temp\1001869001\0ffd919ed1.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3920 -ip 39201⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.5MB
MD50143accc4350dcc3d211d0453f0db35c
SHA190a15d873d020b9e89c81c3240835ea939302ead
SHA25676089a25e76533661a8e8712847e024151b6c7b390634edd8cf1968d04917e57
SHA51236d5e9ff52d31f00f494a9f7bb840a0c37f8aaec065e633fdb6a3509745a5c2fdabcc47e6a6779ce9c019aedbc997770f59e10ab24203f17bf3bd1bb976c483f
-
Filesize
1.1MB
MD53a2c6e49a0d1bb24c89fa1e8ef816179
SHA1979d7f7a10fe7b18b83bd29c264cb0ef3ae89192
SHA256cff2711d0f6b9042f0ab03704add240a5eb56d348a1eda1fd90cf435e450897c
SHA512629dc8d614a2439c6945145e687a58e6b4d184546623ec905939eb1bf09abe5520b82b091199b31db4b64491508265553cc4b6ae9602e993701cfc4cbc01e8fe
-
Filesize
2.0MB
MD5ffdbb2444f2d91d386d3d79b2b06ca4c
SHA13a0d1b25b7da4f691f0fbe19b35aa78b4dc02206
SHA256585bd2f3ba3016448044f523a8202aae62ab3fa37b9566f49dd14e4439899258
SHA51223aa8860d1c332f89d635aca6eccb26c01fdeca90b2edc2f54efb62607def54032743b25cb952e72a6571a44d8b90175bb47fd67e9bb85472e3d994be92ce211
-
Filesize
2.8MB
MD567c4acf3589369c83509935e09774962
SHA14c3d056f3b828eb728512a389f90ab1b77454827
SHA256d2ce87889b31d3dc33e8cc5bc06ea5924bb5c9dcd1b55179fd257fea81a65f54
SHA512c8dd74127fdfc16afd511aeb89287974676871c58a7d4ba04283fb9113fc8879ed87281001f88beb4ceb606ba1567bed59370b3bc8ba57f71f075ede92f6170f
-
Filesize
1.8MB
MD5d2a8b6cdfaf14a244d67ed5a6d4ef96b
SHA11e1e724ddbcd0e9a1bef3329fbf7a4bdf678fcd0
SHA256b5801b7b20a9ad7d1acccd19e8dafe93cf131aeed1bc5f2756d6b69048f9dae8
SHA5123278f33946775cedcaaa92431fc438c638bcf70db47ae5f8096cff3fdabad826d6bc32997ec459dac4d95d1e24ed383803ec5f8e97f8168c1d5d8575cc86a9fe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
848KB
-
Filesize
656KB
-
Filesize
344KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
20.3MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
944KB
-
Filesize
304KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
336KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
20.3MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
20.3MB
-
Filesize
20.3MB
-
Filesize
20.3MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB