Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-11-2024 17:51
General
-
Target
05f5f3f71824d9e1d03b319fa6a8c16ad9b911408dfe08edf3bd296160b33718.exe
-
Size
3.1MB
-
MD5
b942d7a084b06328e13513475def938d
-
SHA1
14671419aa87f1b4e36c86976d815167ae137743
-
SHA256
05f5f3f71824d9e1d03b319fa6a8c16ad9b911408dfe08edf3bd296160b33718
-
SHA512
0945c0c260234a80dbdb8791f84b6df337f324fc49c43d0eb173590322d31e0f0fd314da338a664541a5ddc00e9c3f88755ae150ccdfbd34b56c6999005bebf0
-
SSDEEP
24576:mRbfrZCU8UOmMt2KlHENHGNpXCavued5h1pl70dA30KtKb/m4UPXRSq/rrmhNcC:mRg/JqN5LONp+/HeK1+W+rGpbLtYC
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05f5f3f71824d9e1d03b319fa6a8c16ad9b911408dfe08edf3bd296160b33718.exe"C:\Users\Admin\AppData\Local\Temp\05f5f3f71824d9e1d03b319fa6a8c16ad9b911408dfe08edf3bd296160b33718.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1005956001\65d570c1a3.exe"C:\Users\Admin\AppData\Local\Temp\1005956001\65d570c1a3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ed9758,0x7fef6ed9768,0x7fef6ed97785⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2176 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1284 --field-trial-handle=1348,i,10002547364529221557,12298958339501084774,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006018001\086bef4361.exe"C:\Users\Admin\AppData\Local\Temp\1006018001\086bef4361.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 12204⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006019001\edeb2f8fb8.exe"C:\Users\Admin\AppData\Local\Temp\1006019001\edeb2f8fb8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006021001\937d0edbe0.exe"C:\Users\Admin\AppData\Local\Temp\1006021001\937d0edbe0.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
4.2MB
MD55dbba186591c16739291e29cea223673
SHA1be098a3b4e9b37681d05738f2fe8f53417784f8a
SHA256bd09a065bc3503751bd51d756e6e76051c4da2913767428d8e25daea6f726ece
SHA51225db4af77fe2100c8a989b23fcf4869a63d8225138e0b0256f19b630dd124594e96e47ba52eba2bbecca50d47e4e2df54555f64b3fda578f8f292e1a6ad9364a
-
Filesize
3.0MB
MD5dfd1e24a085c51bce092d4db59c9593e
SHA17676a1c7a0144ac337358ffe9c6078329efe7396
SHA256bf098fbe4f5b597b60ebba09bb299623d75f7f3811e79550511fcc900e3644ba
SHA5122e280208545767ee2057d41e77e41f0da6192a09b1ec361127a7fc6b5df71c8f49a1b3a05defec10b908761789ec9b5f0168046244af9fe1ad71cc5bc41d2744
-
Filesize
1.7MB
MD54938d40dcf6d293c8e3cb0dedf340cf9
SHA1241c4bbd46f1195532f3d849804b05f864a4dc97
SHA256ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01
SHA512949eb9e79598d3d8de0f750f10f3192ff3aaaf7abaed86b9f761ab31fd85f214e520ae34a2f548ddcf17ac7bab46e87db316b6b1830ec7a157fb0b0d9bf8b6da
-
Filesize
2.6MB
MD59768f45bf481592fd2e3bb3d293af85f
SHA134438f33beeb1d2426f2d44676f12121f10da4bc
SHA256e54ce8c6b1b4fcf265fa2cd13a20585cac1fa8819e0e271a18799f104731d687
SHA512f2e52be6585ad4289cb238f49dccc8486b08098da8d93fa18bb2783d94d4cc6e48c6f8227d7cdad6706c709f518967c046c9574dc33dcfcac795922a0858c2aa
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.1MB
MD5b942d7a084b06328e13513475def938d
SHA114671419aa87f1b4e36c86976d815167ae137743
SHA25605f5f3f71824d9e1d03b319fa6a8c16ad9b911408dfe08edf3bd296160b33718
SHA5120945c0c260234a80dbdb8791f84b6df337f324fc49c43d0eb173590322d31e0f0fd314da338a664541a5ddc00e9c3f88755ae150ccdfbd34b56c6999005bebf0
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
10.4MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.0MB
-
Filesize
416KB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
2.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
3.0MB
-
Filesize
3.0MB