Overview

overview

10

Static

static

3

1e0c279995...fe.exe

windows7-x64

10

1e0c279995...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe.exe

  • Size

    1.8MB

  • MD5

    659a28dd5c85f4482c3818467461f372

  • SHA1

    a9f54c9aa53da8f3e8b47ab4ed4650b9e0df0f3f

  • SHA256

    1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe

  • SHA512

    123c05cbc778406da4fab525c84fc8650c714826d8984a5de4753ccc17dcf59e43f4a2b48d16aa56d54466616f42d485e9b4307ce7a24fa56b1691064ec3c5cf

  • SSDEEP

    49152:TQsjXkTmwxhOCTzyr9uInP/OkMk8X+dINgZcb:dnONHSUIe1Rxb

Score
10/10
amadeylummastealcfed3aatalediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe.exe
    "C:\Users\Admin\AppData\Local\Temp\1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe
        "C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe
          "C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 276
          4⤵
          • Program crash
          PID:2260
      • C:\Users\Admin\AppData\Local\Temp\1001881001\525f46e829.exe
        "C:\Users\Admin\AppData\Local\Temp\1001881001\525f46e829.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2472
      • C:\Users\Admin\AppData\Local\Temp\1001882001\496027d13d.exe
        "C:\Users\Admin\AppData\Local\Temp\1001882001\496027d13d.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3124
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528
    1⤵
      PID:1120
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1372
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3108
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1001858001\18ijuw13.exe
      Filesize

      1.1MB

      MD5

      3a2c6e49a0d1bb24c89fa1e8ef816179

      SHA1

      979d7f7a10fe7b18b83bd29c264cb0ef3ae89192

      SHA256

      cff2711d0f6b9042f0ab03704add240a5eb56d348a1eda1fd90cf435e450897c

      SHA512

      629dc8d614a2439c6945145e687a58e6b4d184546623ec905939eb1bf09abe5520b82b091199b31db4b64491508265553cc4b6ae9602e993701cfc4cbc01e8fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1001881001\525f46e829.exe
      Filesize

      2.0MB

      MD5

      c983763cb4748946877c3fada66f0670

      SHA1

      e1387fbe57898c299da3e73babe05f708b1d9fd2

      SHA256

      c28f928469cb659df78d1a3c658a2fff4164603739e1ba0e49e3e18724136fec

      SHA512

      43dc253799761ce5770403361ee5839e1ba72c44064f74b50783fef38dcb6da3a1c8b57d7b60f6ab44e0824881872cbd0865d2e55cf5473deaa8eee1e25478a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1001882001\496027d13d.exe
      Filesize

      2.9MB

      MD5

      41c7a8d055d4764bef4f5e86ffaf07d5

      SHA1

      4fd80bccf51007bde1c93e0eedf539687acd83d7

      SHA256

      c4de4d4e2ae5eb23cbbc6d3efaaa9ce93ed9c45bf8d1c8ab63a829c756f78ef2

      SHA512

      cd81a5e23b0c00f3f8d23f98a2302a6e72513087423efe5546a7b3081344ba59114a6832caebfd440e755d97cf1040287d381716a1adb683b0a08b2e8bfd3019

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      Filesize

      1.8MB

      MD5

      659a28dd5c85f4482c3818467461f372

      SHA1

      a9f54c9aa53da8f3e8b47ab4ed4650b9e0df0f3f

      SHA256

      1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe

      SHA512

      123c05cbc778406da4fab525c84fc8650c714826d8984a5de4753ccc17dcf59e43f4a2b48d16aa56d54466616f42d485e9b4307ce7a24fa56b1691064ec3c5cf

      Download Submit

    • memory/1372-82-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1372-81-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2472-52-0x0000000000D50000-0x0000000001482000-memory.dmp

      Filesize

      7.2MB

      Download

    • memory/2472-54-0x0000000000D50000-0x0000000001482000-memory.dmp

      Filesize

      7.2MB

      Download

    • memory/3108-90-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3108-91-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3108-99-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3124-79-0x0000000000AA0000-0x0000000000DAD000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3124-72-0x0000000000AA0000-0x0000000000DAD000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3464-75-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3464-77-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

      Download

    • memory/3748-4-0x0000000000D50000-0x000000000120A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3748-3-0x0000000000D50000-0x000000000120A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3748-2-0x0000000000D51000-0x0000000000D7F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3748-18-0x0000000000D50000-0x000000000120A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3748-1-0x0000000077054000-0x0000000077056000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3748-0-0x0000000000D50000-0x000000000120A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-73-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-74-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-71-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-55-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-21-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-83-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-84-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-85-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-86-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-87-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-88-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-19-0x0000000000081000-0x00000000000AF000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4632-20-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-92-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-93-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-94-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-95-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-96-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-97-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-16-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4632-100-0x0000000000080000-0x000000000053A000-memory.dmp

      Filesize

      4.7MB

      Download