Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-11-2024 15:06
General
-
Target
3f9fbe536b0936a67a24bd8a45dfefd831b52d6b51876383e69feb6345d48517.exe
-
Size
3.1MB
-
MD5
36486ca446b99031e078515f821bde40
-
SHA1
4427cc053b38a9e8a3a5ac36b8a08bfa24b60367
-
SHA256
3f9fbe536b0936a67a24bd8a45dfefd831b52d6b51876383e69feb6345d48517
-
SHA512
7e282d674932898afcffc80f46ba759a57c9e1b1fa0d2f271fa905a19881e26aeb13e8fbf8bc741426bcdcc9676eaedc389557a6690165a632baaef434d59b76
-
SSDEEP
49152:f23pnACDCGIAt1WJ3qIZcqfM/NWPI1oaew1T470gjVjMd:f23FAxAt1WJ3DZcCM/CyRTmpjVj
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 7 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f9fbe536b0936a67a24bd8a45dfefd831b52d6b51876383e69feb6345d48517.exe"C:\Users\Admin\AppData\Local\Temp\3f9fbe536b0936a67a24bd8a45dfefd831b52d6b51876383e69feb6345d48517.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1004630001\8f32352eeb.exe"C:\Users\Admin\AppData\Local\Temp\1004630001\8f32352eeb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1004631001\49362c4258.exe"C:\Users\Admin\AppData\Local\Temp\1004631001\49362c4258.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1004633001\fb30887916.exe"C:\Users\Admin\AppData\Local\Temp\1004633001\fb30887916.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD54cd9e71dbd4fe83c9e2646791c93089a
SHA12107a9bc99dfc0d1fac036c9e59a786626dae7d1
SHA25692266e2506dbada2a9f94aa22c9b7b03b37771e97c58105f624748978827853e
SHA5122075c454015fa707a58f4c1a5645b6223a4c08cbaa8e9aeba79a26a050a6ab1a0f64ce4ff30c691cf31f6389dba49e1d206c5042dbc7fbb63dda0945dcab870e
-
Filesize
2.0MB
MD52f8c72218bc8d19062c1bcfc28aac96c
SHA1ca163d6116edab9f45704e91635bf350a6fcf349
SHA256b61e6a903e387ec816cd46b72d7224caec4eac2c9837562b25e6df64a5b1c76e
SHA5122408bbf4473204b765bf860daec4ff47fb4ca34ad57559acf05ae69490564920a00a01d64899bb0eda4903442610a950bcba4105d7459a9108ca4607f71133b3
-
Filesize
2.6MB
MD5434a153614e722708bfa0d9cc51a5437
SHA149714a7748b4b61e1a4b13ff87c54d377b9aff78
SHA2565a9bd3b8c8d79747adb97806805db047ecc41b5054835a7cc61aba42d5559b3c
SHA51219d049cb6d3e6d2e94b004dc83be84fa2473b2fc640dd38d0c69e4de469754808c365392b8652716df578a6ed806a769e34257fb369077be69434ba9734de8ef
-
Filesize
3.1MB
MD536486ca446b99031e078515f821bde40
SHA14427cc053b38a9e8a3a5ac36b8a08bfa24b60367
SHA2563f9fbe536b0936a67a24bd8a45dfefd831b52d6b51876383e69feb6345d48517
SHA5127e282d674932898afcffc80f46ba759a57c9e1b1fa0d2f271fa905a19881e26aeb13e8fbf8bc741426bcdcc9676eaedc389557a6690165a632baaef434d59b76
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
7.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB