Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-12-2024 19:02
General
-
Target
aeffa7f6d93e105575b864dc6c89b9119bbbc71655bf12d4eda660e77c432120.exe
-
Size
6.8MB
-
MD5
767354c76e47044e03a8e454726da1ae
-
SHA1
f3b4770721c8cc24075f6dd89b82d92b9fd7caf3
-
SHA256
aeffa7f6d93e105575b864dc6c89b9119bbbc71655bf12d4eda660e77c432120
-
SHA512
0daddc1d0e8eaad3be94d24852693808e8fc65eb43ca6ba9b1d4c4a245b3fe290250338fd6dc8cf2022853fe72c622192dae54abc90db5cb3c70a5002591e3af
-
SSDEEP
98304:2kf7HzfcJ5fdSBe7RdW9vsqGbGnwPvL+ESjONZ72w5TM4dOJsJ3fnZktS3Midpy/:2krrc5we77WJdGKw3KE0Csw5N7fnZzY
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
gcleaner
92.63.197.221
45.91.200.135
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://dwell-exclaim.biz/api
https://formy-spill.biz/api
https://covery-mover.biz/api
https://dare-curbys.biz/api
https://print-vexer.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aeffa7f6d93e105575b864dc6c89b9119bbbc71655bf12d4eda660e77c432120.exe"C:\Users\Admin\AppData\Local\Temp\aeffa7f6d93e105575b864dc6c89b9119bbbc71655bf12d4eda660e77c432120.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O6k20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O6k20.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i5D85.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i5D85.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1I12M2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1I12M2.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1012483001\b72c293e34.exe"C:\Users\Admin\AppData\Local\Temp\1012483001\b72c293e34.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N0772.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N0772.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 16285⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 16565⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3B60p.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3B60p.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4p276L.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4p276L.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4324 -ip 43241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4324 -ip 43241⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5d37030e80f50aa7d45f15e0983fad330
SHA1906a1885d394107acab9d41402b0df195a327f82
SHA256a5373b0a6fb3af6cc0166168bff40c602b6a67d9404962e438b61273e874c1bc
SHA5121a06ed2cd745c8688b756656315c3bcb8b6465c9f616cc45b347d02070e9fc035efb82e03edffbca9a6765250deea26e01adba8ff99b132cebea071241ec413a
-
Filesize
2.7MB
MD538b7f3afd27a489ce0bb5dd6013336a6
SHA1e0bd638da4d60d4d7da4018feaf6fe2660658b3f
SHA256ecadc37e114a2038d48c9709791157d27e9233243726a65f2099856817a0c68a
SHA5121ee01b32c2a16a8a389c3dd435a19dd6d22d255decb18486016b35d65224f4bee217ee4db0a79c3065cdc0ca9c0dd7e24fac8a699e68a8730e82458ae69f7e7c
-
Filesize
5.2MB
MD53161f63851f24f8e11a1e5e3379030bc
SHA12e38f90a0f7b792aa3a032124fb91fb2230338e5
SHA2567e8b7e317f4b3d12ac95ece741994a9c0a23809fecddde08f54d5cda9c7786e7
SHA512a1a4f8081cb252f364c0bf1f98b39daceaed26666835fcfd3de129118962945c6826eb060703de5da484be7bf8d5f70bca8fdd9c117bbfa47d398f18bf62db05
-
Filesize
5.0MB
MD53cefe657842d51dac2bae694606dcef9
SHA15d1a1be06fbf467999fafa247e2d9a88d79a5164
SHA256069a2de7d9a3cf067a8870596b6da48938a3110698dba7db83c622a3b9f74843
SHA5122dbf96f2d2a9683be5b4976dd3054a1b96780a13d52739c7a59406dcfa0389af47575b9d5a1c7b5e3d9e924420337cb402f080bc8ab3eb4853bb79e2d9036d10
-
Filesize
3.5MB
MD59eba1d1ccf5683adc574c0e0edf1207b
SHA1cdd28c0464e87afbbc770c161115740b0eca281e
SHA2568fe224f4a5574a283ce641fd7f8099f4d9eaa019383fcee65efb05b548057f9e
SHA512901b4e9c90dfe9d3b7ffd0f368f085f04768045e9b1eeedca67fe6eb3470cd4f671711c26607e3be6bd80dc4b459e0e36d752b4fcfe697898512ee3e977e200c
-
Filesize
3.1MB
MD5ed3fa7460523c5ec9d4568e754624405
SHA188ad04cf36c7fe20644d48572ec2e70569c9581b
SHA256d94506b192d68e1a3e0330db62fd84d4c1b98597869a4f831a06e7f73708714c
SHA5124ff0b5009effb0630cb3cd5dcd7291bc645cb2d59d1975eaef2cec17f379e00317c44de5ed4b07ec607745571521fff380acbfb98afe3710e5ec2dae36bd1add
-
Filesize
1.7MB
MD5659626f9b237cc63c9312b4ee6779fe4
SHA128a0255714ac4f52d892d6e5c912ee35294d41b9
SHA25646f5ccca9761ebfcaab4398177c12ce9138851f5d956ce77057b78e8e1ebcd23
SHA512e608a5f0dc3cd39d7b5606020438cb7d3b762b00ade7de509c95cf8a1917046998f4439f6434111b4504c4bccead9a1fd6a5c4b4778800e92d34aafeb0c92ffb
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB