Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-11-2024 12:00
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
46465c85a1ff3747b195b7638ddd42d0
-
SHA1
ec707c4a58c19d6bfddfa11097730521c5b43698
-
SHA256
edc41ee27d1580b4f0b0d94633c81320cbbc55a00f304cd2956673bdaf36f79a
-
SHA512
6727396a3c596b33a20728048999125e5007adaf85625ffaf1d4e81d1afe78d741dbe7adc6cb70df8fbb5fa6ac2412fa4b075d9aef2c2ca8134e125b97b2de99
-
SSDEEP
49152:wI+4z3xTa2QL1r0eJXD4rJFrg1QlFOmwWgqJ:wIhhUL1r0eJXD4rJhGQl4mpn
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
remcos
DPDNOW
dpdnow.duckdns.org:8452
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-A34JIZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 11 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1004494001\remcos_a.exe"C:\Users\Admin\AppData\Local\Temp\1004494001\remcos_a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004598001\831c694319.exe"C:\Users\Admin\AppData\Local\Temp\1004598001\831c694319.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1004599001\7dfae6eafb.exe"C:\Users\Admin\AppData\Local\Temp\1004599001\7dfae6eafb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1004601001\69ab98dbe5.exe"C:\Users\Admin\AppData\Local\Temp\1004601001\69ab98dbe5.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5e35c896c5011734559130095084da18b
SHA16dda56d0305acbfb9667e1e7414c09a75dcffbca
SHA256fbe3976e4d55665f965594980491e1242552f772cb5648aa2028acd8e8740716
SHA512ddc8774bd4b696c164552d18b6164758830673ca7acfed105faea3cc0d5af42eea3f68902083cd69499aea74f5a9307001a66bc0baab817667929237be23a405
-
Filesize
1.9MB
MD5b85c47881ba0eb0b556b83827f8e75c8
SHA1dccdf0daee468f9e9bed3edf928f0839d26b47cb
SHA2569d577624acca69f5b4097a6882e934b026a344757cf5cf31f3341e643ed2ba20
SHA512ca158aff36e4eeff5d1c263a79972dfa0aa7584132f12a3d301a5cc5c47b57309fe71b4837c7b8caa5022cb18529b565d6a0849acdabd1af939b76b48284a605
-
Filesize
3.1MB
MD5ba4f3e063cc29e24e49e7bf0b8272312
SHA10baed49558f88d6da8b30bcb4a4a5b17e1b070ff
SHA2566e139931e2e96d0c0131ff0c704d66816627a683bd54d63a1de03762198bafcc
SHA512c901fc3ef890fdf734be6e99845bba403910282025fa7fe7534cddd387ae59128929c5d1bade1990309e78a42e1a44d4b0c0ece452a1e40401bf6104bfd6ceed
-
Filesize
2.0MB
MD59e9d31eba7c246e195f2c97e3cc2f492
SHA1f9aa0488a34cfb533684c1244c979ab9a2acd8df
SHA256cf390add5c6914d74ae8393be745cc14ab43542f986f985f30d18f9181a34a23
SHA512a7cfd1933259f0d39f63fff1a36f6c03a60f240cabd1e18189c8310f3820428d091dda903873ba1104a7301144b0923d49fe092eca7703297f66f37f65e0a436
-
Filesize
2.7MB
MD5ea19e2180e8d8ddab430a332a4ef8703
SHA14b11a13d49b7c567cbac7623adb335877c708801
SHA25630ba58e31b4b4939caa1ce9e18f9c8ac1161d64221f2b768ec61918596a72890
SHA51215b3249a67bcc4c5b878b169147dd4e046394a4402ca8dc838883562c65efdb2ce8fb86375e39edcc6d36d1bab85079851d34a49c302b3034424d187b6bc829a
-
Filesize
3.1MB
MD546465c85a1ff3747b195b7638ddd42d0
SHA1ec707c4a58c19d6bfddfa11097730521c5b43698
SHA256edc41ee27d1580b4f0b0d94633c81320cbbc55a00f304cd2956673bdaf36f79a
SHA5126727396a3c596b33a20728048999125e5007adaf85625ffaf1d4e81d1afe78d741dbe7adc6cb70df8fbb5fa6ac2412fa4b075d9aef2c2ca8134e125b97b2de99
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB