Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-11-2024 18:15
General
-
Target
51c35cc8bfc37189048a0454992f30143289dcace11c5fc108db47e91f467bd0.exe
-
Size
3.3MB
-
MD5
7cfe878555b8cc04fc52385219b423d7
-
SHA1
cff23beb3f3223610a37a9b52d3b9495438c5c1f
-
SHA256
51c35cc8bfc37189048a0454992f30143289dcace11c5fc108db47e91f467bd0
-
SHA512
31ad38c09589a8ba91d0c2b4b3f12cda02909fd4cdd06a84b415c2018983c0dfd8b675c39089a0313e1a0c6c95ef023d9d4f66fcd05d2b4aeb313d75efe86386
-
SSDEEP
49152:pd0WyZt1UbFSOHUM04jhsaDfZt6TJ5nD3hdkMgE+jCtWszgEBCs9IYFDl:aZt8FjUF4jhBZtmhjjf8gRPJ
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 22 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c35cc8bfc37189048a0454992f30143289dcace11c5fc108db47e91f467bd0.exe"C:\Users\Admin\AppData\Local\Temp\51c35cc8bfc37189048a0454992f30143289dcace11c5fc108db47e91f467bd0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1006022001\adb52ff0fd.exe"C:\Users\Admin\AppData\Local\Temp\1006022001\adb52ff0fd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 12164⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006023001\8082a370e8.exe"C:\Users\Admin\AppData\Local\Temp\1006023001\8082a370e8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006025001\a9bd75f2fb.exe"C:\Users\Admin\AppData\Local\Temp\1006025001\a9bd75f2fb.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5dfd1e24a085c51bce092d4db59c9593e
SHA17676a1c7a0144ac337358ffe9c6078329efe7396
SHA256bf098fbe4f5b597b60ebba09bb299623d75f7f3811e79550511fcc900e3644ba
SHA5122e280208545767ee2057d41e77e41f0da6192a09b1ec361127a7fc6b5df71c8f49a1b3a05defec10b908761789ec9b5f0168046244af9fe1ad71cc5bc41d2744
-
Filesize
1.7MB
MD54938d40dcf6d293c8e3cb0dedf340cf9
SHA1241c4bbd46f1195532f3d849804b05f864a4dc97
SHA256ef58ad108a1bb0c142cee1f46742666fb5d37c3a9a63ef893d508b853ac16c01
SHA512949eb9e79598d3d8de0f750f10f3192ff3aaaf7abaed86b9f761ab31fd85f214e520ae34a2f548ddcf17ac7bab46e87db316b6b1830ec7a157fb0b0d9bf8b6da
-
Filesize
2.6MB
MD59768f45bf481592fd2e3bb3d293af85f
SHA134438f33beeb1d2426f2d44676f12121f10da4bc
SHA256e54ce8c6b1b4fcf265fa2cd13a20585cac1fa8819e0e271a18799f104731d687
SHA512f2e52be6585ad4289cb238f49dccc8486b08098da8d93fa18bb2783d94d4cc6e48c6f8227d7cdad6706c709f518967c046c9574dc33dcfcac795922a0858c2aa
-
Filesize
3.3MB
MD57cfe878555b8cc04fc52385219b423d7
SHA1cff23beb3f3223610a37a9b52d3b9495438c5c1f
SHA25651c35cc8bfc37189048a0454992f30143289dcace11c5fc108db47e91f467bd0
SHA51231ad38c09589a8ba91d0c2b4b3f12cda02909fd4cdd06a84b415c2018983c0dfd8b675c39089a0313e1a0c6c95ef023d9d4f66fcd05d2b4aeb313d75efe86386
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
8.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
1.1MB
-
Filesize
8.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
8.6MB
-
Filesize
1.1MB
-
Filesize
8.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
8.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
3.0MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
8.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
2.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
2.6MB
-
Filesize
8.6MB
-
Filesize
3.0MB