Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-11-2024 08:36
General
-
Target
4f3d62f4662ecab837feb201384f04a6a0c79a3a8a2cda97ee6bab3a58e226aa.exe
-
Size
3.1MB
-
MD5
36186abad1b6621bfa6a2910dc005972
-
SHA1
3ab630f001cf69137f8391ddbbec30a6211a94b0
-
SHA256
4f3d62f4662ecab837feb201384f04a6a0c79a3a8a2cda97ee6bab3a58e226aa
-
SHA512
9d3695f5f2314725ac237b819823b1898152b6c0611a119d583cdcff9dc808fa9ae6819b7723046be7b910142f88735921641a93042b7872b5af45784693d0d5
-
SSDEEP
49152:HVKPATlcyJJew+a6x+ECLoJqQHoYKNTW/dTtq:HVQAJcyJJew+a6x+vsJFoYNn
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 19 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f3d62f4662ecab837feb201384f04a6a0c79a3a8a2cda97ee6bab3a58e226aa.exe"C:\Users\Admin\AppData\Local\Temp\4f3d62f4662ecab837feb201384f04a6a0c79a3a8a2cda97ee6bab3a58e226aa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1005956001\945129f759.exe"C:\Users\Admin\AppData\Local\Temp\1005956001\945129f759.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66f9758,0x7fef66f9768,0x7fef66f97785⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2192 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1348 --field-trial-handle=1248,i,7813653813196851070,12128385256405096381,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 9404⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"C:\Users\Admin\AppData\Local\Temp\1006068001\lum250.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 12204⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006161001\c5dda29e29.exe"C:\Users\Admin\AppData\Local\Temp\1006161001\c5dda29e29.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 11964⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006162001\e17e5b3279.exe"C:\Users\Admin\AppData\Local\Temp\1006162001\e17e5b3279.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1006164001\dec3197b02.exe"C:\Users\Admin\AppData\Local\Temp\1006164001\dec3197b02.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A6032E5-3ED0-46F4-8F14-53232BF9A023} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
4.2MB
MD5a7e41df2cb4730c2e9b4cc777e99df77
SHA120e33d9967a4b927692bc5b1809c1aad790542eb
SHA2565713f57c3f457cb7bc70b6495bc94737c1d6a608dbfd4411bcc7437246eb66cf
SHA512c38a2591fb36e56b06ee983e9df5e90f9354dce860dabd3561d6358476284bb4de74e29f84cd2db11ec026bd901abc4c923ee18b39f596de9db7798e6da42439
-
Filesize
33.3MB
MD58fb77810c61e160a657298815346996e
SHA14268420571bb1a858bc6a9744c0742d6fd738a83
SHA256a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66
SHA512b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2
-
Filesize
1.8MB
MD55b015748645c5df44a771f9fc6e136c3
SHA1bf34d4e66f4210904be094e256bd42af8cb69a13
SHA256622c5cb9a11085da8240c94262f596b687b3ecc2bc805b7f5a01cc335f7df909
SHA512026a32a969f973f91f6e848ce3509546ef70bddfdb39ed08c177c2cd1eddeb1297a2d722fa8542a9a09a3d0b9d4c8df0d35139b1c7ae0beba1b964a6b8003302
-
Filesize
2.9MB
MD532759286f0d328a68c63fbb0b85dacb7
SHA108df21f5f91ffc76293473dc8acfd3fa364678d7
SHA25621af6e9262502de17e772eafacaa6eedc2128c1a6c445801bbc0f06318143bf7
SHA5123afae0cc276fae073b4a07d8c3d90e28fb1585bc9cbc3e29519f8fd6b7148acb494cbf4497254537e8351ffd480604b0a91ee4107bd09ea915084245663a1922
-
Filesize
1.7MB
MD5673adb8fbfc09e598b9f2cd49291d360
SHA164b647245c6206581fd1ada3df3f9dc7dca75e9f
SHA256a3eaf680536f723aad903e7b9f0802699f113951925f3ffe25572345a79855d1
SHA512bc140fbc9bc2f31fc6df6db5fc52099920335b0e583585c7759a5bf4b2dba2f2a90da84b392e0c06a1ee0c7d8475fa6c1559ba3168fe31ad1c2699debcca9a31
-
Filesize
2.6MB
MD5cd92d8ecfa6e7c1ec2493affd71d2612
SHA1328676a428c2a17fe6b8ccbe7df1945b4eeda169
SHA256f4997a04a30174c18394454bd6e4f41631807041092ac17f25d2349422e7a2b7
SHA5123588b3f2ba99b6d0939dfc10ac19f560d5332584874fe284393364bef96c1331965e5a85964fd07cbea500f3e222e4c23336ff30616fd61f2370c9052b521883
-
Filesize
3.1MB
MD536186abad1b6621bfa6a2910dc005972
SHA13ab630f001cf69137f8391ddbbec30a6211a94b0
SHA2564f3d62f4662ecab837feb201384f04a6a0c79a3a8a2cda97ee6bab3a58e226aa
SHA5129d3695f5f2314725ac237b819823b1898152b6c0611a119d583cdcff9dc808fa9ae6819b7723046be7b910142f88735921641a93042b7872b5af45784693d0d5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
3.1MB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
6.5MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
11.7MB
-
Filesize
10.4MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB