Overview

overview

10

Static

static

3

a54df74ebb...75.exe

windows10-2004-x64

10

Resubmissions

17-11-2024 21:39

241117-1hr36stmfk 10

17-11-2024 20:07

241117-yv16hawrdw 10

Analysis

  • max time kernel
    16s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875.exe

  • Size

    5.5MB

  • MD5

    f9f0c48f061092e154bd50783d383ec4

  • SHA1

    11060ec507eff5e7f9d08bef66ff0f8796ed1e31

  • SHA256

    a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875

  • SHA512

    c6fa367df2a0b7c0c605ecf251871f6776ada3709c65ce92da95622302d4f723d1c00dce6730f1658aad8539c523aafb3dff9fcd9bae8f7ba248d68b007ede61

  • SSDEEP

    98304:5C6NjxwJS9BLBBGZvHKIVExE9/RH89zuNvoX4JpGAfh02eDhXn+5VbSdPyBxqTl:5C+wGLGthVX/RH89zgvoXO4002wXEOdV

Score
10/10
amadeylummastealc9c9aa5talecredential_accessdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://scriptyprefej.store

https://navygenerayk.store

https://founpiuer.store

https://necklacedmny.store

https://thumbystriw.store

https://fadehairucw.store

https://crisiwarny.store

https://presticitpo.store

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875.exe
    "C:\Users\Admin\AppData\Local\Temp\a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe" & del "C:\ProgramData\*.dll"" & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\chrome.dll
    Filesize

    676KB

    MD5

    eda18948a989176f4eebb175ce806255

    SHA1

    ff22a3d5f5fb705137f233c36622c79eab995897

    SHA256

    81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4

    SHA512

    160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1006992001\226759f724.exe
    Filesize

    2.7MB

    MD5

    2ce0b7e92b8871bc57028259fd6c0d08

    SHA1

    5900c80af1f0da43e8eab9b2e8dafee1530cc910

    SHA256

    cd26575fe49996ce0ed5947870aec6c57d10f5d42838521423364231fa102b3e

    SHA512

    13bd0fb476d85d16189e95229f0c13e3fe34936970b27143ed4b88f7508047a2aef49670e6a97a7ad1b30217c97d3338beb448f8845e926518ac74b2bc79b9af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe
    Filesize

    2.0MB

    MD5

    5f44f2bb693c50d1141aa214dac22796

    SHA1

    aa3408aaf55c7fc92b90cdbb08075c2b59a7a6dc

    SHA256

    184b2aee425e019ac00a1000a882e5d01e4175e90d84ca0e473db487d43add7d

    SHA512

    4ea0f394a1ec64d7c97b726d7df92519ac87d053e3c1030b0bd8a3fd9b41beed1f48008f85b02b5de2f505e2283888e142dfb8dd3499440b3c00e28da9f23d4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe
    Filesize

    3.4MB

    MD5

    c3a949833a4a77388c9d278084868bf2

    SHA1

    c1ccbe6146d98e96ee02adf0fd297cbc92237709

    SHA256

    3021414754d72ad9d34ea792cef5362384325ff5b3ed75bb534b8618546e5d90

    SHA512

    3ff6a290e51bdb7f781378b5d43eb6997cef9bfcb7de7f239d910f4d6fb1f44254679102c7fa08aa1445298d55477c26fd9fd64ea6d205e5e4930e497a568b26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe
    Filesize

    3.1MB

    MD5

    74ba48529515c95320f4a86fc42fc668

    SHA1

    c33b2b0c5e43e5ac274206ae964cf85bb8718048

    SHA256

    766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa

    SHA512

    16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe
    Filesize

    3.0MB

    MD5

    a8f20ad3d41973d7375370b0b7e0f206

    SHA1

    1e7775500a8838eb99511557a0a6b91001711e77

    SHA256

    945c4e520925902102b0b7435d34ae82952150535847dbb9bae31e319c62ac00

    SHA512

    74915dbf9abb08f258c5f64ec12b19bbbafb0a09a6f01b322cbb3594f9ce3469b352b6279e0b2dcb817ac5a2fc0635c0dd860bd649138326f164ea6193951891

    Download Submit

  • memory/1816-52-0x0000000000E50000-0x000000000116C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1816-30-0x0000000000E50000-0x000000000116C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1816-51-0x0000000000E50000-0x000000000116C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2276-36-0x0000000000EA0000-0x00000000011AE000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2276-37-0x0000000000EA0000-0x00000000011AE000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3572-41-0x00000000002E0000-0x00000000009FF000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/3572-50-0x00000000002E0000-0x00000000009FF000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/4564-31-0x0000000000331000-0x0000000000399000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4564-16-0x0000000000331000-0x0000000000399000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4564-15-0x0000000077D74000-0x0000000077D76000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4564-17-0x0000000000330000-0x000000000064C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4564-18-0x0000000000330000-0x000000000064C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4564-29-0x0000000000330000-0x000000000064C000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4564-14-0x0000000000330000-0x000000000064C000-memory.dmp

    Filesize

    3.1MB

    Download