Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15-11-2024 18:10
General
-
Target
b6f12e1681c93ba7210b921f2c7b8ca2a0ef662b0545f60821e1ef7ccc13cd90.exe
-
Size
3.1MB
-
MD5
450f5d36c348b3da6be54ccf321c7901
-
SHA1
9d2c71e3f3cd475051596f96782ea6378b0acb64
-
SHA256
b6f12e1681c93ba7210b921f2c7b8ca2a0ef662b0545f60821e1ef7ccc13cd90
-
SHA512
401b3fa84ca126b1b63b7fcc6c1ec66c81e9e60f988696248df6e6af06583f576f31300db750e2cb81a4d36b31036f135f14c221784bf144b11aac3e61ed95c2
-
SSDEEP
49152:S8aDdHEp7c0reuE7+vQSCYrimMFzBprUHh/J3egFW173X1V:PaDep7c0CuEmQ/Yri7BpQDubjlV
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f12e1681c93ba7210b921f2c7b8ca2a0ef662b0545f60821e1ef7ccc13cd90.exe"C:\Users\Admin\AppData\Local\Temp\b6f12e1681c93ba7210b921f2c7b8ca2a0ef662b0545f60821e1ef7ccc13cd90.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1006262001\build.exe"C:\Users\Admin\AppData\Local\Temp\1006262001\build.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1006418001\SKOblik.exe"C:\Users\Admin\AppData\Local\Temp\1006418001\SKOblik.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1006449001\d9692962b4.exe"C:\Users\Admin\AppData\Local\Temp\1006449001\d9692962b4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7469758,0x7fef7469768,0x7fef74697785⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1540 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1536 --field-trial-handle=1348,i,6938560275527249278,8749358476495009829,131072 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006486001\086ffe6437.exe"C:\Users\Admin\AppData\Local\Temp\1006486001\086ffe6437.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006487001\8e52468d3a.exe"C:\Users\Admin\AppData\Local\Temp\1006487001\8e52468d3a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1006489001\7758de5f8e.exe"C:\Users\Admin\AppData\Local\Temp\1006489001\7758de5f8e.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
41.2MB
MD57abd9cf3c1c7b8e12e309a517a1d64c0
SHA163fc374e4498dedb181bb37aad0dc14813e45ba4
SHA256dd11a80576e2d535d1ffffeb53f9e72466e32ef39d833f43cd6e6f11fc365ebb
SHA5121c0d1a539e19edfcda7cd346fc2471988888293b52c625e29ce1a317c928ce97e44fcbcabb1bc4eda5a65b82d9e84eba4a2e864073bbcd3c3ae773693237544f
-
Filesize
21.2MB
MD5c3968e6090d03e52679657e1715ea39a
SHA12332b4bfd13b271c250a6b71f3c2a502e24d0b76
SHA2564ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4
SHA512f4908cce3e77a19bcbdc54487e025868cbd2c470b796edbf4a28aebc56cb9212019496f32eb531787de2ca9e8af0aedab2fde3d7aecee9e6a3fe3f5e4ce7670a
-
Filesize
4.2MB
MD5b5e061479580a67efbcb72642a1df59a
SHA1318d4d79cdef6de7dd1cc2e8dfcf93205b4fb6eb
SHA2562f70da1a79dbe2d0679b77a8999bd5cac1aa4133c8817a8be3b387cd5b7373ba
SHA51258fc0244bf1c9c9a027913d1c9798d026f128c4dff582735426755227d5cfa1be0e894fe83f2e45c055e394511d7939a4c542ff62b334615040302ccb18a1e40
-
Filesize
1.8MB
MD5b10c5598499dd5bc4403334079df1b30
SHA10cc8e7bf766694154e4b4d6458cd403e05587bed
SHA256b01b180518a67969040e7cbbacf11a83a5035bd5d961e28309add02d0dfe9ac6
SHA51280ff73b3f94d802f339009ddbe34cc1d6479b5a0aa90920533617b2e408f2442905e91bccbd5ad524c48c3373c923bc5aa0006af7ef53d87f3f15450ea2d2854
-
Filesize
1.7MB
MD5f6dd3195d9f8504e2e8cad8d7dfeebd2
SHA1f8b3784d88c29467968c5404f836a02b1d746dd0
SHA25616583a94054273cf5ffe92afe1f9242ce2ee91ed22dd7a6db4565a1fdf905431
SHA51255768ef242f08141e1296ebabfcae3b1af68f8b8c5bda63fc6147d7f6634f73e4f3a13c367c3480864a0c44c0de455dfce0125cf40cdbe75a35369baf8aa5b9a
-
Filesize
2.7MB
MD56fd056b79a786d171988a88e7668b2cc
SHA1fbb59a6d0f04984bda37b153b6f59a91cfd86413
SHA2561c676304ebcc60bbf8ad5b59c1730d304400dda0d37534268b475c24b68886b6
SHA5129faf0809f810db6c709480692acfb7cbe49a871945ed957c98d06e39f296eaa3ccfbe50b3755d9d7ac2089631caf95f60f31ab9919ab8145d1c4237eb0ab0c60
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.1MB
MD5450f5d36c348b3da6be54ccf321c7901
SHA19d2c71e3f3cd475051596f96782ea6378b0acb64
SHA256b6f12e1681c93ba7210b921f2c7b8ca2a0ef662b0545f60821e1ef7ccc13cd90
SHA512401b3fa84ca126b1b63b7fcc6c1ec66c81e9e60f988696248df6e6af06583f576f31300db750e2cb81a4d36b31036f135f14c221784bf144b11aac3e61ed95c2
-
Filesize
10.4MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
11.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.1MB
-
Filesize
11.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
3.1MB
-
Filesize
4.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
6.6MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
8KB