Overview

overview

10

Static

static

3

92868bb45f...b1.exe

windows7-x64

10

92868bb45f...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92868bb45ff9ce3ed318759d66097630ab39f861dcc173d710e1a6a37f7a5ab1.exe

  • Size

    1.8MB

  • MD5

    1a7879446907ff07beee4e0dc7e0fd9d

  • SHA1

    8ac81711576526013d50a6ce43b85097b4a26dff

  • SHA256

    92868bb45ff9ce3ed318759d66097630ab39f861dcc173d710e1a6a37f7a5ab1

  • SHA512

    f029c01da5ca7a6aecefa099458ddc35e91c5d17418937b8a75888a4ea1b21b336307e29a3de3b56546ad9a726c82d903f43f269bc423d0bd23e25491212ffa4

  • SSDEEP

    24576:UngnMQMAmwPkHDLkbWZlqntb9QguICB7R1fv9o5pd/kz1cYRKLQAYYvnUTmy0MPO:UnHQMAmlLQqJby5D/kJnK8Ap/Byx9

Score
10/10
amadeylummastealcfed3aatalediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92868bb45ff9ce3ed318759d66097630ab39f861dcc173d710e1a6a37f7a5ab1.exe
    "C:\Users\Admin\AppData\Local\Temp\92868bb45ff9ce3ed318759d66097630ab39f861dcc173d710e1a6a37f7a5ab1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Users\Admin\AppData\Local\Temp\1002150001\3710fa0713.exe
        "C:\Users\Admin\AppData\Local\Temp\1002150001\3710fa0713.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4440
      • C:\Users\Admin\AppData\Local\Temp\1002151001\e9586113ef.exe
        "C:\Users\Admin\AppData\Local\Temp\1002151001\e9586113ef.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3912
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1444
          4⤵
          • Program crash
          PID:1892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1508
          4⤵
          • Program crash
          PID:4568
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1508
          4⤵
          • Program crash
          PID:3360
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3912 -ip 3912
    1⤵
      PID:4324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3912 -ip 3912
      1⤵
        PID:3628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3912 -ip 3912
        1⤵
          PID:3696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3912 -ip 3912
          1⤵
            PID:4540
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3912 -ip 3912
            1⤵
              PID:4064
            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:4640
            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:4212

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1002150001\3710fa0713.exe
              Filesize

              2.0MB

              MD5

              108abf9fa612ba1a63e7c93a5809018f

              SHA1

              85945bade7fa8d5c2188057e9d27f4bf0324dacf

              SHA256

              71d477ad71d6bc262e17cc443a294c5557e696787dcf7a01c7f55d598f929f76

              SHA512

              d90f88972a1428022b3b443544f01129c2c98bc392276abd751b854ebca9b33207005faaccae3502213a67c2b0973f8fc40a025dbc31b4b2e02a7f552b42a2e6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\1002151001\e9586113ef.exe
              Filesize

              3.1MB

              MD5

              c4021198121ba7dba0403d6102a32535

              SHA1

              d93e7ab66365d270639616af084d877fd32220fe

              SHA256

              c4c130f28e4b2690bec5789a99a88e2ea2301e04352bd2005a47275555ec0731

              SHA512

              543a6bf8949b2dfd19e6d268afad7a2e4e014ce221260738b950bd9e17f4239362be59464f541733334e859c943bc9cdbcfdf913be51999e19e336e9f39387d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
              Filesize

              1.8MB

              MD5

              1a7879446907ff07beee4e0dc7e0fd9d

              SHA1

              8ac81711576526013d50a6ce43b85097b4a26dff

              SHA256

              92868bb45ff9ce3ed318759d66097630ab39f861dcc173d710e1a6a37f7a5ab1

              SHA512

              f029c01da5ca7a6aecefa099458ddc35e91c5d17418937b8a75888a4ea1b21b336307e29a3de3b56546ad9a726c82d903f43f269bc423d0bd23e25491212ffa4

              Download Submit

            • memory/2028-0-0x0000000000EE0000-0x00000000013A5000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2028-2-0x0000000000EE1000-0x0000000000F0F000-memory.dmp

              Filesize

              184KB

              Download

            • memory/2028-18-0x0000000000EE0000-0x00000000013A5000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2028-1-0x00000000777B4000-0x00000000777B6000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2028-3-0x0000000000EE0000-0x00000000013A5000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2028-4-0x0000000000EE0000-0x00000000013A5000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/3912-65-0x0000000000110000-0x000000000042B000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/3912-60-0x0000000000110000-0x000000000042B000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/3912-63-0x0000000000110000-0x000000000042B000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/4212-80-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4212-79-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4440-37-0x0000000000270000-0x0000000000988000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/4440-41-0x0000000000270000-0x0000000000988000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/4440-39-0x0000000004E50000-0x0000000004E51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4440-40-0x0000000000271000-0x00000000002D9000-memory.dmp

              Filesize

              416KB

              Download

            • memory/4640-69-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4640-71-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-21-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-73-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-61-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-62-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-43-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-42-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-66-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-67-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-38-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-20-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-72-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-59-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-74-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-75-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-76-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-77-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-19-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-16-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-81-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-82-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-83-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-84-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4868-85-0x0000000000CC0000-0x0000000001185000-memory.dmp

              Filesize

              4.8MB

              Download