Overview

overview

10

Static

static

3

ecb34bc9d2...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecb34bc9d2bdeedee1ccede5b57ef121cf23418ba3e0fa0420b340e477986d81N.exe

  • Size

    3.5MB

  • MD5

    e511e6360abe0c5ea58abd6470834830

  • SHA1

    cb8e57010603b363e39d06787525ce761f768081

  • SHA256

    ecb34bc9d2bdeedee1ccede5b57ef121cf23418ba3e0fa0420b340e477986d81

  • SHA512

    c08c8978e08ed9293b0cf77ab78461dc496647e37d6a6989f1f2bca5853c5a3c04bef2d2558a72f51b6e71e90b4f15582111469f8e0f1bc41d39494100b16d51

  • SSDEEP

    49152:yzEYEvllWYbnucw+q0LpRmc4TLWcpxmZS1O3PBfiw+NJqYQAoYoo:eEYqlWqHwKpUNLhESo/Qjn/o

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://navygenerayk.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecb34bc9d2bdeedee1ccede5b57ef121cf23418ba3e0fa0420b340e477986d81N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecb34bc9d2bdeedee1ccede5b57ef121cf23418ba3e0fa0420b340e477986d81N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1n75c8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1n75c8.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Users\Admin\AppData\Local\Temp\1005076001\9dd4310c32.exe
          "C:\Users\Admin\AppData\Local\Temp\1005076001\9dd4310c32.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3824
        • C:\Users\Admin\AppData\Local\Temp\1005077001\2eb4bf5e81.exe
          "C:\Users\Admin\AppData\Local\Temp\1005077001\2eb4bf5e81.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4400
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4000
        • C:\Users\Admin\AppData\Local\Temp\1005079001\9ded8b5d5f.exe
          "C:\Users\Admin\AppData\Local\Temp\1005079001\9ded8b5d5f.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Windows security modification
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2r4221.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2r4221.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4084
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2556
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1005076001\9dd4310c32.exe
    Filesize

    3.0MB

    MD5

    b09deb1644094d9569ac5a518e97c25c

    SHA1

    1ddcbbcbb00401a14838fe46257125c56896f98d

    SHA256

    d96be8a69a7207825037e59d9a844ea912e910ae5896464a929064c0c77e2fb0

    SHA512

    71ae273f909e6bdf9aa94c5f7e716f633518abbf33cc635d44d62feec8945349c1f33456fab83a432770d0ca788bd2ec7f63c492eec196d23354afcf0e2e4034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1005077001\2eb4bf5e81.exe
    Filesize

    2.0MB

    MD5

    0801425a20b0620caa7a43be53f4602b

    SHA1

    c2df5b979d38cc378f36bfaef9bcbee75a320cd2

    SHA256

    031c985ef3fa8e36336ea00598aeeabd410303b7cf8c3b1103386c89163b62c6

    SHA512

    2a29d2d0fcabba828e74a4835a7ddab313b114739aa3856a24c73e9766ab05ff31530947891dd4f195dff877fc977a9f8c8e3a174c1889a5b81f13272b82b14d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1005079001\9ded8b5d5f.exe
    Filesize

    2.7MB

    MD5

    c81134b3173346bdf56947e25f493731

    SHA1

    11373e6e6ae8d3d37df3f210b5d592e53ca39690

    SHA256

    3c575868ff58d241c2cfab122237857624a6879b7c1d5c7041f1a225f53f1367

    SHA512

    5931f86366ef22f8b3da5f9a4cd3389e1eb1bc99d5ba465267e67d8e204ef9c430d5d3181213fcab94a075fa2ac67085649bbc2ca685cc2d836a1c38906370dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1n75c8.exe
    Filesize

    3.1MB

    MD5

    aec56671d0758eaff92926d21fac8693

    SHA1

    084b183a609a1c2c70d860757257082a563e7bc4

    SHA256

    9aa772b16838edca5370628672880f7263cf78f1661e8622fd22701090456306

    SHA512

    c40e653996c1a2d6924a6dd9cbf26155b84eae1a9778e8ff8a55c740c8fa18d6f944fc1fdcbee76804f7c0bb0fad4f80e4f2b3ae6175134d52111207db25579e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2r4221.exe
    Filesize

    3.0MB

    MD5

    1e89027e4db2c2f57e9b4db8b00200c7

    SHA1

    435f869057bc76c9e7596d7740deb51f4ba59260

    SHA256

    b2dd3033c8dd8bf7218e42ebb0684c416b63748398c1bcba039e8a37c54bb9fe

    SHA512

    562c1f65607b95d05ce3c55bdb9a15a9c4a3752c5bc92a5c36fd5aa7846f06d437f6f39adb1b8322583c7d5008ea88ce9d842ad9648f79c5fa4f60bbc3bc70a8

    Download Submit

  • memory/864-23-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/864-97-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/864-67-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/864-50-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2556-140-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2556-105-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2660-25-0x0000000000630000-0x0000000000956000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2660-26-0x0000000000631000-0x0000000000699000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2660-11-0x0000000000630000-0x0000000000956000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2660-10-0x0000000000630000-0x0000000000956000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2660-9-0x0000000000631000-0x0000000000699000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2660-8-0x0000000077584000-0x0000000077586000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2660-7-0x0000000000630000-0x0000000000956000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3824-47-0x0000000000840000-0x0000000000B41000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3824-49-0x0000000000840000-0x0000000000B41000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4000-74-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-88-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-82-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-81-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-79-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-75-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-73-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-83-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-80-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-78-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-77-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-76-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-70-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-84-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-93-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-95-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-96-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-94-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-92-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-91-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-90-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-72-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-87-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-85-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-89-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-86-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-106-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-98-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-100-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-99-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-103-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-102-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4000-101-0x0000000000400000-0x0000000000B2D000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4076-165-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4076-167-0x0000000000C80000-0x0000000000FA6000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4084-31-0x00000000005A0000-0x00000000008A6000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4084-30-0x00000000005A0000-0x00000000008A6000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4400-65-0x0000000000190000-0x00000000008BD000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4400-68-0x0000000000190000-0x00000000008BD000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/4820-151-0x00000000006F0000-0x00000000009AC000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4820-152-0x00000000006F0000-0x00000000009AC000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4820-153-0x00000000006F0000-0x00000000009AC000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4820-156-0x00000000006F0000-0x00000000009AC000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4820-159-0x00000000006F0000-0x00000000009AC000-memory.dmp

    Filesize

    2.7MB

    Download