Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.1MB

  • MD5

    54c9ea8ac7622aff4d850cf022a22a1d

  • SHA1

    1de3718ae7e13ea6ecacb896fddb243fd231d26a

  • SHA256

    b471d83544480a8ce96646e0f4bc4d4ad483ccf2eb2b93e7f16eca4906c28139

  • SHA512

    bf776b2f8bd8e5551d65d95277fb5d1316b39ed7b7feb345de1966716cfb4194261900d7adb02b2958539164469ac6eb19f10d61bd8c0a7af3da2eb7127caf01

  • SSDEEP

    49152:WCT6txMtB7zQj79mS2wU2xRClLzoWbNsLVJAY:WC2t0sj79mS2wUuRCpI5+

Score
10/10
amadeylummastealcxworm9c9aa5talediscoveryevasionpersistenceratstealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

87.120.112.33:8938

Mutex

rMibaOUiuViiguc4

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579

aes.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 3 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Users\Admin\AppData\Local\Temp\1004732001\document.exe
        "C:\Users\Admin\AppData\Local\Temp\1004732001\document.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:776
      • C:\Users\Admin\AppData\Local\Temp\1004793001\f6572040a5.exe
        "C:\Users\Admin\AppData\Local\Temp\1004793001\f6572040a5.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1816
      • C:\Users\Admin\AppData\Local\Temp\1004794001\013a1c6b59.exe
        "C:\Users\Admin\AppData\Local\Temp\1004794001\013a1c6b59.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2216
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
          PID:2308
        • C:\Users\Admin\AppData\Local\Temp\1004796001\1a7bc0d22c.exe
          "C:\Users\Admin\AppData\Local\Temp\1004796001\1a7bc0d22c.exe"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Windows security modification
          • System Location Discovery: System Language Discovery
          PID:3000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1004732001\document.exe
      Filesize

      1.7MB

      MD5

      1aa5cd181621c7e3f04bcfdf3b31c263

      SHA1

      694da2562c80da15128d4fdd305219f97c9fb970

      SHA256

      b738ac1ae6debdb89df7e074577c1f0c12dfb80fa6cb708e08f168b744386a6b

      SHA512

      1e4f1d3b81e47f2beb64eca5e913750bafd8c2451afda104e6c8562e4d4fcccdf2a27eb39d2ae17ce7fcab86defec98bc4fa986f6f39b793d2890e1358250c28

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1004793001\f6572040a5.exe
      Filesize

      3.1MB

      MD5

      9ca00013e05b7875248c387f70cd037a

      SHA1

      709e88ba253928997501d661a11966240283af1e

      SHA256

      3f20a0e05ac2e3bca1f69b9ed8d6a0189b0e3ad244a30e38a600f79c371ae27d

      SHA512

      4175a4d2afa174cf25a315231ee481e56195b9afa6873a15b59a44c567f2bd6326f406f2485b8be258bb971fe1098e41698982372eedecbe6b9422822303b141

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1004794001\013a1c6b59.exe
      Filesize

      2.0MB

      MD5

      f3a208d03776378776a9fdc3ce740ac9

      SHA1

      96464cb96d17ad6cd55aa3e143e9cbda3f4dc47d

      SHA256

      4899660112f2e8f637d3236a7081ce7b53887651ed896712acda6509f473e439

      SHA512

      0a8dde8ab1e79fd5b79d6dc9601e11313f988782ae4f3d86b049693852067091593efa9b38c03932cc7e2d18e5e025a93e2ee14c1a4ca44fe137172db62602c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1004796001\1a7bc0d22c.exe
      Filesize

      2.7MB

      MD5

      05724c3b1d1bcc645590dd15b13ac538

      SHA1

      aa061ff5e6a599c94231d676d8c3730e6865349f

      SHA256

      05b13829de4243769feaa6203bf2a33122c5268acc09d14b287cc32b7a93fe92

      SHA512

      2356b42ba7bbf8699e878d09b12ef89897c8f680d2b8573836b7b62ef6758de8cfb86538abea2179c561729dccc54b069ef7954b68496014a14df6efabeb929b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      Filesize

      3.1MB

      MD5

      54c9ea8ac7622aff4d850cf022a22a1d

      SHA1

      1de3718ae7e13ea6ecacb896fddb243fd231d26a

      SHA256

      b471d83544480a8ce96646e0f4bc4d4ad483ccf2eb2b93e7f16eca4906c28139

      SHA512

      bf776b2f8bd8e5551d65d95277fb5d1316b39ed7b7feb345de1966716cfb4194261900d7adb02b2958539164469ac6eb19f10d61bd8c0a7af3da2eb7127caf01

      Download Submit

    • memory/776-68-0x00000000012A0000-0x000000000170C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/776-44-0x00000000012A0000-0x000000000170C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/776-43-0x00000000012A0000-0x000000000170C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/776-42-0x00000000012A0000-0x000000000170C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/1816-67-0x00000000010E0000-0x00000000013F7000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1816-63-0x00000000010E0000-0x00000000013F7000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2216-88-0x0000000001130000-0x0000000001850000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2216-91-0x0000000001130000-0x0000000001850000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2832-36-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-117-0x0000000006270000-0x0000000006534000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/2832-147-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-37-0x0000000006890000-0x0000000006CFC000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2832-39-0x0000000000991000-0x00000000009F9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2832-22-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-41-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-40-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-21-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-19-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-45-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-18-0x0000000000991000-0x00000000009F9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2832-62-0x0000000006270000-0x0000000006587000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-145-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-64-0x0000000006270000-0x0000000006587000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-66-0x0000000006890000-0x0000000006CFC000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2832-143-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-16-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-141-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-87-0x0000000006890000-0x0000000006FB0000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2832-86-0x0000000006890000-0x0000000006FB0000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2832-89-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-139-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-137-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-92-0x0000000006270000-0x0000000006587000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-95-0x0000000006270000-0x0000000006588000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-96-0x0000000006270000-0x0000000006587000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-97-0x0000000006890000-0x0000000006FB0000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2832-135-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-113-0x0000000006890000-0x0000000006FB0000-memory.dmp

      Filesize

      7.1MB

      Download

    • memory/2832-133-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-111-0x0000000006270000-0x0000000006534000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/2832-115-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-116-0x0000000006270000-0x0000000006588000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-23-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-131-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-129-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2832-127-0x0000000000990000-0x0000000000CA8000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2972-1-0x0000000077B90000-0x0000000077B92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2972-2-0x0000000000851000-0x00000000008B9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2972-3-0x0000000000850000-0x0000000000B68000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2972-5-0x0000000000850000-0x0000000000B68000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2972-15-0x0000000000850000-0x0000000000B68000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2972-17-0x0000000000851000-0x00000000008B9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2972-0-0x0000000000850000-0x0000000000B68000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3000-126-0x0000000000A60000-0x0000000000D24000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3000-118-0x0000000000A60000-0x0000000000D24000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/3000-112-0x0000000000A60000-0x0000000000D24000-memory.dmp

      Filesize

      2.8MB

      Download