Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
08-12-2024 17:04
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
41f7104e635f418ec5a33d817b5324d9
-
SHA1
7c9a3124d4bf236a560c6a865b0034f79a65f875
-
SHA256
3301f21b0e9b43873293f712c6a8eccb7746c09207e0cedcfe836d060862c6f8
-
SHA512
7dfd8e767be1b7904ff44b90cbc973a577f831db0dc81c44167838146a8912efe3631510fcf37451396206613419ca6d0fa0554a74af1764d50c056a3b66338e
-
SSDEEP
49152:kVF+M26kfUw7yoxeBqOo7NjGOTIkets5JsE8p7OuEFWH:e4M26kfUwGoxeBqV7BVtZheKuEU
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
quasar
1.4.1
vuictim
91.214.78.16:7000
42d886c4-74fa-480d-8b7e-5fe1ac03ba03
-
encryption_key
D72F5D077DE4AC156A670D7D920C697F5FB66FA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft edge
-
subdirectory
SubDir
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 19 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1013209001\ZdGtikR.exe"C:\Users\Admin\AppData\Local\Temp\1013209001\ZdGtikR.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roomscience.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roomscience.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 6165⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callmobile.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callmobile.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 6205⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013215001\gDJ389J.exe"C:\Users\Admin\AppData\Local\Temp\1013215001\gDJ389J.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013220001\gdxjQRY.exe"C:\Users\Admin\AppData\Local\Temp\1013220001\gdxjQRY.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\everyonetechnollogyovlres.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\everyonetechnollogyovlres.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oftendesignpropre.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oftendesignpropre.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oftendesign.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oftendesign.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013225001\3089e679a9.exe"C:\Users\Admin\AppData\Local\Temp\1013225001\3089e679a9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD51d3f1b333a438438193b1d29731fd607
SHA10c8852028d925fc940ad1fcccc7539bf3c0db92c
SHA256ad822394ecd393272d3d1ba77306e502ee90259f4c328dab80e9d6b5e4bd363f
SHA512b9008ef7fc8aadc92fe20df3d3081a06bc561491b3aaac35caaf256f136e8c95c248d1622112ef08cc415f0b6efe10055b4cc31d9b1f88b508c64b688e8f561d
-
Filesize
2.2MB
MD53541c1ac26eb5bbb87f01c20fd9f8824
SHA1bf5d136c911491f59bdeb3bf37b8f1a155fd3a97
SHA256b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
SHA512babc17723d2389919acd96f977821d57bdd737f01a9598209efafa72ae0418e914a5d229f196d80cb5ba70ce82b0f340b18aa255bbe4ed77d821a432d5794a93
-
Filesize
2.8MB
MD5a4de831aec191850ac5b336069ce3d40
SHA1df6263aae32913b94a1d45e9ba7f9124bcd5fe33
SHA2560217b5932fcaf4679b2d394d5dd2f10775774d9e7b2d0679d6aace357e085cf8
SHA51264dd2342b6f177b73be0d1ff2df5b1ab1dd12bc511e944345c60cc233e7812a01958a867bc05f3158312e3d5e20a7ce9bb1e1d7b87b37bef2f915e6b1e87d552
-
Filesize
11.0MB
MD53a11b7a8fbf64b684369aeea7cd08e17
SHA16d2e049bdb475e47b6ed03547c5d20b286caaffd
SHA256ccacaf0bd975ea2b7cb9e03986419ef04947ed39bfe3b18bae3577a3890ddada
SHA512b3852c01797b02d8f387a72adbc997c66cd44164cf902851d30f3437cfc6bba4741b70b3a332de69d6776a84e43b207b7e1d3b6dd6582172313559b35f28ae79
-
Filesize
1.8MB
MD5dccc10f2a3e67d24320aa5abe819a2d9
SHA1e3a57b1581b2b1e4bfaa994ad836f27803f1aee9
SHA256ab51065a1271ffdd973c8c130f9f17fdb9d0631b3a9c9c39ce8f1840c43b0670
SHA512f967d8dba9afd807021040b88e567bb4f264ca8994a1c6d2e6865baef9a66a2a336aacba5c7c4f90b504f442ae891ab67627377c919e40839a005aa2263f1f34
-
Filesize
5.6MB
MD51903d7d11d73afa8dd27d21bf148fc2a
SHA1b8388685baceaa5a88f00bcb8ff5083914ceb9c9
SHA256389259edafb04ed410e74813e0378910c4eec9ca066a9c4b3e9928aa50b18136
SHA512535bab32ac1de46eff9432bed6e9a4817ed85dd7a3452c7db2a3b4ac683d7c6b5be25208d0ac4df3189d8d8a278a293c81cf47612caaaaf0bf702643dfd66616
-
Filesize
2.3MB
MD56686485b91f2f50fbdeb53b83acd3a87
SHA11fcf914c4e3711332b0a62308082645b4f8bfbb8
SHA256605f8e4d0bc1f92c5bc9b0e37377c8e18226b1e2b4c61c0a0531ba865d66e43c
SHA512588762f9d07ea4887b37f7a217d22ce9061449d17bdc7948d1fdb0139315d7d56c0cc30b28dafd2f33358d17e18ea452af5bb7fab6f99e8b7d7aabbbc3236924
-
Filesize
2.3MB
MD5ffabcc262fb699998b6191d7656c8805
SHA1fd3ea79a8550b14e9cc75fb831fd7a141964a714
SHA256f46e4a7de978baceec5f64cbc9fa1f1e772e864fa3310045cd19d77264698cde
SHA51279b2e21a9111b16b0f67ae5d1cc40a25773b847d3f4cf78711a8dfd8b67c30beec332ed65ac008c9dca62c84de891eff20d7c6050bc868bce77a17fe56da61ba
-
Filesize
4.4MB
MD50f4bc1fb5d736a617a8733f62266945b
SHA12c99949405459f02fc2f9785c4edde830aecbe69
SHA256c8222b9d3f4e6d8e2b9d9fc7a027bac9d826572da7f05ecc8ae8ba8e00f7ce91
SHA5124b75bacd9244d082672ff9e84075d74e982a48797a9ada1121e5bce45bfb8b294ada379e57170588ec8b3a0607b8e32960034ff1163b9472451650deb4c73898
-
Filesize
2KB
MD5cbc6b2ad4bf883ea7ecb41d8d86b0964
SHA13051043976773abfc145a23942b42e4c7cac5a1c
SHA256c8844ba7ca7df3c75532044792065c3d2b742c389fc9fa1a6e2776ed425917af
SHA512355b1e180d067abaab69f1f51cf0776dee7156156195094825a1ba7fac3bcf7ab303b5d68be373878f400cd34ec9061dc549706b8ad344e66ac8968daa7e812f
-
Filesize
3.1MB
MD541f7104e635f418ec5a33d817b5324d9
SHA17c9a3124d4bf236a560c6a865b0034f79a65f875
SHA2563301f21b0e9b43873293f712c6a8eccb7746c09207e0cedcfe836d060862c6f8
SHA5127dfd8e767be1b7904ff44b90cbc973a577f831db0dc81c44167838146a8912efe3631510fcf37451396206613419ca6d0fa0554a74af1764d50c056a3b66338e
-
Filesize
9.5MB
MD5490864b581cfd93592b1d47e7c0b7c8f
SHA1bb35ed819f628a1894caaad9d41566d51675a3d8
SHA2563ddec7574b24a9d26a450c8cc725b347606ff33b9346a812d3012eb6f359d5f9
SHA51240adb01f4714165019f8eae6595be9faea20584b63b839d17288ce3d4ce8c74fb340c565bf22c1c6586a13d657e4ed080e3923b1a07f8d7d85a04a2c75a488a3
-
Filesize
1.2MB
-
Filesize
4.4MB
-
Filesize
672KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
1.4MB
-
Filesize
304KB
-
Filesize
2.0MB
-
Filesize
2.4MB
-
Filesize
336KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
3.2MB
-
Filesize
4.6MB
-
Filesize
7.5MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
4.6MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
176KB
-
Filesize
2.4MB
-
Filesize
2.0MB
-
Filesize
1.4MB
-
Filesize
336KB