Overview

overview

10

Static

static

3

SecuriteIn...70.exe

windows7-x64

10

SecuriteIn...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.Evo-gen.23397.3870.exe

  • Size

    3.1MB

  • MD5

    1a81dffb83d8e7ff3adf172aaadaf388

  • SHA1

    8cedfd2a864c409afef1cb0a8ad002f8a5f0ef8e

  • SHA256

    447fa6e76e1f5060cf82af86a9f8f4a7916d77a25ae28214f9469c3f66c6ba66

  • SHA512

    77289ebb8ff65befc192ff32cd123b2bda303dc48b5e1738bd689ad71139a7dbced09a65ff2597264137b7d11e855af9cdef715e52a8c0c4bac71baa8ae9f8db

  • SSDEEP

    49152:Kw9BGhpTLZmp4ZIM/HPsWydHLGLO3pz85Z5Yis7:Kw9mLZmpIP/HPsxLhp45Z5Y

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23397.3870.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23397.3870.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Users\Admin\AppData\Local\Temp\1004582001\c4ca5d5f2b.exe
        "C:\Users\Admin\AppData\Local\Temp\1004582001\c4ca5d5f2b.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2276
      • C:\Users\Admin\AppData\Local\Temp\1004583001\f13aae09d1.exe
        "C:\Users\Admin\AppData\Local\Temp\1004583001\f13aae09d1.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1908
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1628
      • C:\Users\Admin\AppData\Local\Temp\1004585001\f7b86bb43a.exe
        "C:\Users\Admin\AppData\Local\Temp\1004585001\f7b86bb43a.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Windows security modification
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1004582001\c4ca5d5f2b.exe
    Filesize

    3.1MB

    MD5

    e17e79621707b33deebbb062396a7cb5

    SHA1

    8f525636a1320a50c51312de1981d53d9e545599

    SHA256

    ef85019d3696285f9a0d5c9b4c4134a68713b6294cb77a9dc41e0223ea7bede9

    SHA512

    5150c7af1b0565d2b975e550d080db0e8253a1847a0ac0aeadc11d091c02b128941caeb5b6b1bd9d60a878165b1aab7b38a37dd7f07ca2e9aecb0b90c519d9b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1004583001\f13aae09d1.exe
    Filesize

    2.0MB

    MD5

    11d426c888db116423f5b98a68f128e7

    SHA1

    b1130e91da13796704eed24164d53b537d5abe09

    SHA256

    086d33d97dacb90e333a023aae5df67812e44c25fb1492775936ed12a8245e43

    SHA512

    37d2ce2eb090af5c21b3c72b1e0ad72aad527cc7ac6f5d6f0bc5c0e46390c90923378b69c25ff4137deba52819f552cfe82d851eea6fa4e2007fe5320b0a45d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1004585001\f7b86bb43a.exe
    Filesize

    2.8MB

    MD5

    cbfc105b9cb7dced3c04bd59923d1dbf

    SHA1

    5b09cd4133bdeea3682049a90585038c0fc4c5f5

    SHA256

    5cb7b346c8782f4ac5dd3f286493cdb0a810bcbfc521c495775105f9831348a0

    SHA512

    c6d2277d8a873a2f2115d863d1899d5e5f558d68fe35097fc740ffaf13e0bcae47983f3bd8a94c9f2cc6640a0ca317a837442e9de5e24264bd46562df7b542f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    Filesize

    3.1MB

    MD5

    1a81dffb83d8e7ff3adf172aaadaf388

    SHA1

    8cedfd2a864c409afef1cb0a8ad002f8a5f0ef8e

    SHA256

    447fa6e76e1f5060cf82af86a9f8f4a7916d77a25ae28214f9469c3f66c6ba66

    SHA512

    77289ebb8ff65befc192ff32cd123b2bda303dc48b5e1738bd689ad71139a7dbced09a65ff2597264137b7d11e855af9cdef715e52a8c0c4bac71baa8ae9f8db

    Download Submit

  • memory/1628-119-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-117-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-99-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-123-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-103-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-102-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-106-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-107-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-109-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-110-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-112-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-113-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-118-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-120-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-121-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-114-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-116-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-115-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-95-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-108-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-104-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-94-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-96-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-97-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-98-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-75-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-77-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-79-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-81-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-83-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-85-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1628-88-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-91-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1628-90-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-92-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-111-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-100-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-105-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-93-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1628-101-0x0000000000400000-0x0000000000B34000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1908-68-0x00000000009D0000-0x0000000001104000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1908-66-0x00000000009D0000-0x0000000001104000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1936-0-0x0000000000F20000-0x0000000001231000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1936-14-0x0000000000F20000-0x0000000001231000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1936-5-0x0000000000F20000-0x0000000001231000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1936-2-0x0000000000F21000-0x0000000000F89000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1936-3-0x0000000000F20000-0x0000000001231000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1936-17-0x0000000000F21000-0x0000000000F89000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1936-1-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2276-44-0x00000000000A0000-0x00000000003C0000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2276-41-0x00000000000A0000-0x00000000003C0000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2592-170-0x0000000000E70000-0x000000000113C000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2592-164-0x0000000000E70000-0x000000000113C000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2592-166-0x0000000000E70000-0x000000000113C000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2592-172-0x0000000000E70000-0x000000000113C000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2592-165-0x0000000000E70000-0x000000000113C000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3040-74-0x0000000006110000-0x0000000006421000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-43-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-39-0x0000000006240000-0x0000000006560000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-40-0x0000000006240000-0x0000000006560000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-38-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-21-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-19-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-18-0x00000000011F1000-0x0000000001259000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3040-16-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-73-0x0000000006240000-0x0000000006560000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-149-0x0000000006110000-0x0000000006421000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-45-0x00000000011F1000-0x0000000001259000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3040-46-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-163-0x0000000006110000-0x00000000063DC000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3040-47-0x00000000011F0000-0x0000000001501000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3040-63-0x00000000069A0000-0x00000000070D4000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/3040-168-0x0000000006110000-0x00000000063DC000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3040-64-0x00000000069A0000-0x00000000070D4000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/3040-122-0x00000000069A0000-0x00000000070D4000-memory.dmp

    Filesize

    7.2MB

    Download