Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 02:05
General
-
Target
0bc54a76b0a63d8f0022caf8804a3fbb9ce0d497aedc7274ab7c9bc988b17363.exe
-
Size
3.1MB
-
MD5
5c87bc7b86c06bb8cd470891009473f0
-
SHA1
5206f5d15901d89f85e8eaffb3c769c157b0718f
-
SHA256
0bc54a76b0a63d8f0022caf8804a3fbb9ce0d497aedc7274ab7c9bc988b17363
-
SHA512
c4d9f94f58f19c3cadfa0eff7651dcf0c6ef3278848b53a4bb4b5aee19c8442248f233d22256eaf5f1f5e107d635623f8eb5598f3e8bdd3c209b9b6f27d6365a
-
SSDEEP
49152:uOYlNL4bhn1aqOU0y3xLYSFNo822Vy8cFGmrt0uU:8Nsbhn5OUh3xLYSD20y7B
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
xworm
5.0
husktools.duckdns.org:7000
9W5nR6YNY2Cs1cQg
-
Install_directory
%Userprofile%
-
install_file
XClient.exe
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Xworm Payload 1 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc54a76b0a63d8f0022caf8804a3fbb9ce0d497aedc7274ab7c9bc988b17363.exe"C:\Users\Admin\AppData\Local\Temp\0bc54a76b0a63d8f0022caf8804a3fbb9ce0d497aedc7274ab7c9bc988b17363.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1004252001\47e2cffcc2.exe"C:\Users\Admin\AppData\Local\Temp\1004252001\47e2cffcc2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 15044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 14844⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004253001\fee162bddb.exe"C:\Users\Admin\AppData\Local\Temp\1004253001\fee162bddb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1004255001\6123df5bb5.exe"C:\Users\Admin\AppData\Local\Temp\1004255001\6123df5bb5.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1004256001\xwo.exe"C:\Users\Admin\AppData\Local\Temp\1004256001\xwo.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\XClient.exe"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\iudngn.exe"C:\Users\Admin\AppData\Local\Temp\iudngn.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /d /c blxfpmth.bat 27339655986⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\foksdes.exefoksdes.exe ltkqnerwt.nuts 27339655987⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 12928⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 2764⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3664 -ip 36641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3664 -ip 36641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3868 -ip 38681⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\XClient.exeC:\Users\Admin\XClient.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1220 -ip 12201⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\XClient.exeC:\Users\Admin\XClient.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
841B
MD50efd0cfcc86075d96e951890baf0fa87
SHA16e98c66d43aa3f01b2395048e754d69b7386b511
SHA256ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7
SHA5124e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1
-
Filesize
3.0MB
MD56fa0c37408adbc0da35c4f7e14e8ae2f
SHA128af945faa9564434706c706fdda589b51d7dfdc
SHA256128057316ab024aa6ba98ea385f98c49a7b8b36dd5adad1dc453091982c60a45
SHA5127601e65cf8195334a8020972af3530f14e98a65402c6fbc1a95965dfa3b4bc9810676f3cbcc98ad2a65a837fe45e9ea61c7ebe7a0388e5265c27ffebac2d53d7
-
Filesize
2.1MB
MD5df4ea4a8afcceb8e19558408e42ea473
SHA1033bc0096ba5b468af9709be7e8df5ef6e1f6577
SHA256d0a18c1d84ebb376f2244ad1f79be69c981b97e0c17c1cc9d61bf73b8cf950b6
SHA5120a1d29d5e50469fdb5a785ad355fa8b6481d5da138bebf1b0499ec119c9299ec22d78abe5b6a2c9e7089a5ec2f6d1bc54ec972ef61c3ee3c246544974b068e38
-
Filesize
2.6MB
MD5df6dcea465adfa3d944f6bbf27ff2773
SHA1ef7f22219b8c824bc531df4f615edd1882c54ae4
SHA25629d9973d5792eabfeb8e26c078a437eb0876eb2e80107095e2b4af98b1f56c03
SHA5124f5686be95ea4a41e4e2459c2aa841d336cf82fca9c042a05d5f8470ec8dbf994771d639e78112b2b8218799f099152331e36263652e6354b9e587ee575baa03
-
Filesize
189KB
MD57949220a0b341111716a81695324be27
SHA1d79653b53e3affa5081d25cdea077299105d0472
SHA256a22f6db007744f7768782280e66832487b3b193ff20825203bb56210b7c4e923
SHA512e051e96a0334ce6cc7b6a43dffebfdcf93b40824db9cec64c6a2e71aed24bd26232645edbac14a47afe02fb0d12384da9648ea402df9232892330afce91fe303
-
Filesize
129B
MD5e3e7c6abcc98cf2046e4548f6cee4cc1
SHA1b656c8f851a2b27ace9218c457234f3af3921def
SHA256dc4335f02e30f1903f5f58100631d6d9fb681f40c831c56c377b279659d7c980
SHA5120f625f4b86ee55d71e091ca73eff7436caee91646568f2d2e0d9cde73b1aac041238ab24b80ecef4a0f56982602670bf04f11b27cf95799dccc4de70a24151ce
-
Filesize
1B
MD569691c7bdcc3ce6d5d8a1361f22d04ac
SHA1c63ae6dd4fc9f9dda66970e827d13f7c73fe841c
SHA25608f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1
SHA512253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12
-
Filesize
3B
MD5158b365b9eedcfaf539f5dedfd82ee97
SHA1529f5d61ac99f60a8e473368eff1b32095a3e2bf
SHA25639561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90
SHA512a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09
-
Filesize
33B
MD5500ba63e2664798939744b8a8c9be982
SHA154743a77e4186cb327b803efb1ef5b3d4ac163ce
SHA2564ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba
SHA5129992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7
-
Filesize
5.2MB
MD5a919729a18174fbbbc592801f8274939
SHA1d2d18176e1a56e95449d48d0943030d94bc045f7
SHA2566f639b042ecff76e4be8c4db5a36bb3ae783624b44df31628f7c52e4489d0f3d
SHA51236aae913b019420149d53e2018de2585c6dff0c0fca927f05af030b396eed0833b120b0e84fc0bdf397f7eb0074f44fa85603175e5dcf08f437961ab3e5ce7d6
-
Filesize
5.2MB
MD52890f1847d5d5f8f0e0c036eb0e9d58c
SHA1656306727fb15c4c43c40b57eb98c016fd1ec6fd
SHA256f0280e1f5c2568e5fda9f911ab8341b47914a21d30f854136299f510dc843816
SHA512233d5d07e98dc55c2d4d992f4d86b3bd19850db871e514569fc28e39b4cf8552f2225e38527341f85eb50a357b7781924185de163e540f270e3157545be6bda6
-
Filesize
649KB
MD5f13abd3bcda49faefe70b33fd1760b39
SHA1fbd073da05d4df60b3e4646207764c74afbe7be8
SHA25644c8d64e2353b4d9b5ab35a690d78a48d221ba72364a0939c65fbe0209db7bd8
SHA512e867e8ac32cec8f186946844908fca7a6752383669227345137024434efd688edb5e5b3975141897465bc9f2adbacde39b1dd59ab84791ccc54878da04915985
-
Filesize
3.1MB
MD55c87bc7b86c06bb8cd470891009473f0
SHA15206f5d15901d89f85e8eaffb3c769c157b0718f
SHA2560bc54a76b0a63d8f0022caf8804a3fbb9ce0d497aedc7274ab7c9bc988b17363
SHA512c4d9f94f58f19c3cadfa0eff7651dcf0c6ef3278848b53a4bb4b5aee19c8442248f233d22256eaf5f1f5e107d635623f8eb5598f3e8bdd3c209b9b6f27d6365a
-
Filesize
3.6MB
MD582c82de31b75a937ed7c32a807a5771c
SHA1eb2c4ed1a4d35be01575c9fc6ebf755ba642fa6a
SHA2563b5ba3bc3f7b18f9e415ee3cf10825a9bf8f48bea24335349daacaefbd2fdff1
SHA51237ea787c7c9ca7b60f5d20908326a3ae0ff35a17c55c3b1fc499b6b5f3a95fad71002a72c194dea73bbfa1ee8de0a49fb1b16a142f8f7426b2defed8c6c0038b
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
1.4MB
-
Filesize
104KB
-
Filesize
256KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
352KB
-
Filesize
3.0MB
-
Filesize
352KB
-
Filesize
3.1MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.2MB
-
Filesize
7.2MB