Overview

overview

10

Static

static

3

26309ceffd...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26309ceffdfb8ef91a3d435a569841ed8532f855557aeee54620a54e2c2dceca.exe

  • Size

    5.5MB

  • MD5

    27804d55f185edb91ed8ec5c15066fe5

  • SHA1

    6b5339943f113562612b929604f850ccdfa2681a

  • SHA256

    26309ceffdfb8ef91a3d435a569841ed8532f855557aeee54620a54e2c2dceca

  • SHA512

    4f458ad6580ef5a266f36b194d7a32b31a686ab7d88ced7b42c5ac972f17496b5fbb755359bc553d75533f03dd54b1feee01b470e42488ba66ea67050b901838

  • SSDEEP

    98304:yfz+nFIl9jheluAfkir3x/rgoihJGK1GVkY+Qd8snFRT66C5K8MSvnGdv8WGCP:yL+nGvhe8AxrXiPyVk19b91CP

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26309ceffdfb8ef91a3d435a569841ed8532f855557aeee54620a54e2c2dceca.exe
    "C:\Users\Admin\AppData\Local\Temp\26309ceffdfb8ef91a3d435a569841ed8532f855557aeee54620a54e2c2dceca.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1C74.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1C74.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h6379.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h6379.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1600
          4⤵
          • Program crash
          PID:4016
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S96n.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S96n.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3336
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4w017y.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4w017y.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3712 -ip 3712
    1⤵
      PID:2304
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3112
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4w017y.exe
      Filesize

      3.1MB

      MD5

      2f2a8968bcdc26dc26f35a7f0e741b94

      SHA1

      8ff2c4c2bac54fc34c12ee6e8b2349141ae1703c

      SHA256

      b4ed53947a407459822c5d352bb5300a5885b9dec2b6c319c48f54b57a02e2eb

      SHA512

      6288b580f9da2760f2b30565cfa6b5c57c2e9c776e3f04ad7ac1f5c5630678aea869f5f0d494aa244e2dbeb17615936fb29f68a20b0f23325238a5c417568ef9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1C74.exe
      Filesize

      3.8MB

      MD5

      be4cd825680f7e4844f9a8c61f7cecbf

      SHA1

      66e394e730bbc4b5d51e32954fa2872f3971b64d

      SHA256

      1145f46f15c58ea7effd2900dde5a9bc9fc6e69783e74189e348d7eca867612f

      SHA512

      2fa4f7a9e393e0f814840e9fedd14787a76d564e81ce6dc17f12e1d9e882c1b0acdd2551e03d941e6f9a6ed5d5985087e7cf69000fb530c6fc7735ab31342055

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h6379.exe
      Filesize

      2.9MB

      MD5

      781c92234ad3fa7fafda08c434d9a50e

      SHA1

      eae985ceabb46b58a7460c29620288535e7bb5ce

      SHA256

      74495c23ae1c2767bc43b39a3f4cea3a6414280dbcf9610d66b4faeaf31b6724

      SHA512

      b6dbd83e54f87e3223312a36d7276dfd2a09ae0689a48ba689d5c99b37d222a2ba8c534b89176227ce1b6d1ccec8d7d9c50fae78065d8c3af312aee8dc05aa6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S96n.exe
      Filesize

      2.0MB

      MD5

      7e2272452770fce26baaaf4fca490edf

      SHA1

      f7415b286c2ce27fd9b1d2de81fa13634cb6da15

      SHA256

      edde457b0a32e570c98fcd0868170dfa06990bccd396c4b38b4e8d69bd72d500

      SHA512

      dec16f81df500beda931441c42349483e5058f241da53021c0cade0471a2fcd7fa102efa1c0bd7bdbbfbff1f75d5100302cb4a30c647b99715b962b3217fca26

      Download Submit

    • memory/1276-55-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-49-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-64-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-63-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-60-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-59-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-58-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-57-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-40-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-56-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-52-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-51-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-46-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-47-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-48-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1276-50-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1712-45-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1712-43-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1968-41-0x00000000006B0000-0x00000000009CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1968-27-0x00000000006B0000-0x00000000009CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3112-54-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3336-23-0x0000000000B80000-0x00000000012A5000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/3336-22-0x0000000000B80000-0x00000000012A5000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/3712-14-0x0000000000390000-0x00000000006A1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3712-17-0x0000000000390000-0x00000000006A1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3712-15-0x0000000077B54000-0x0000000077B56000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3712-16-0x0000000000391000-0x00000000003B9000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3712-18-0x0000000000390000-0x00000000006A1000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4472-62-0x0000000000FB0000-0x00000000012CC000-memory.dmp

      Filesize

      3.1MB

      Download