General
-
Target
aadc5df9b60a87ade5c319c6723d16aa4401f531d89aaf4d8b3f0f3e1cf54551
-
Size
1.8MB
-
Sample
241128-1nep2axnbm
-
MD5
50a4af673c3038f686865c6698427e13
-
SHA1
587c30e231c7163741adc14582d5a4792f823722
-
SHA256
aadc5df9b60a87ade5c319c6723d16aa4401f531d89aaf4d8b3f0f3e1cf54551
-
SHA512
fe92fd5ba8c04638d03d4db073d1d34c3ece1181f3f5e3865745ec7143900073b87e8c82cc127bfd7f1176cb24cb4d5607e4eb6c8bf68b52943ec3b8392af188
-
SSDEEP
49152:idXfSF0PLhbT4JKX7m6teFvYFI+Xb8PRDhO4IJJOmPF:SfSFILyJE7m6svY2+XYPRDhO4kJOmt
Static task
static1
Behavioral task
behavioral1
Sample
aadc5df9b60a87ade5c319c6723d16aa4401f531d89aaf4d8b3f0f3e1cf54551.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aadc5df9b60a87ade5c319c6723d16aa4401f531d89aaf4d8b3f0f3e1cf54551.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://preside-comforter.sbs
https://savvy-steereo.sbs
https://copper-replace.sbs
https://record-envyp.sbs
https://slam-whipp.sbs
https://wrench-creter.sbs
https://looky-marked.sbs
https://plastic-mitten.sbs
https://tail-cease.cyou
Extracted
lumma
https://tail-cease.cyou/api
Targets
-
-
Target
aadc5df9b60a87ade5c319c6723d16aa4401f531d89aaf4d8b3f0f3e1cf54551
-
Size
1.8MB
-
MD5
50a4af673c3038f686865c6698427e13
-
SHA1
587c30e231c7163741adc14582d5a4792f823722
-
SHA256
aadc5df9b60a87ade5c319c6723d16aa4401f531d89aaf4d8b3f0f3e1cf54551
-
SHA512
fe92fd5ba8c04638d03d4db073d1d34c3ece1181f3f5e3865745ec7143900073b87e8c82cc127bfd7f1176cb24cb4d5607e4eb6c8bf68b52943ec3b8392af188
-
SSDEEP
49152:idXfSF0PLhbT4JKX7m6teFvYFI+Xb8PRDhO4IJJOmPF:SfSFILyJE7m6svY2+XYPRDhO4kJOmt
-
Amadey family
-
Lumma family
-
Stealc family
-
Enumerates VirtualBox registry keys
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Download via BitsAdmin
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1BITS Jobs
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Discovery
Peripheral Device Discovery
2Query Registry
10Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3