Overview

overview

10

Static

static

3

ae7cee2a37...f8.exe

windows7-x64

10

ae7cee2a37...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae7cee2a37b6db87bb902e868f14ff3e666b94ef0f910abb1c1f997986ebc8f8.exe

  • Size

    1.8MB

  • MD5

    7eb364eea0c2b3fbd888a56ed722e620

  • SHA1

    899ce1f752474250e705ecb03debc6f654acf6d9

  • SHA256

    ae7cee2a37b6db87bb902e868f14ff3e666b94ef0f910abb1c1f997986ebc8f8

  • SHA512

    aa968393006cc966323ba29fae087329a914bdf5cbe7abee65c9b9a3a849e64ae543e3030d850b230d23868ec3a99d17ffb0951c3ccdc0ec7e99624653e6052b

  • SSDEEP

    49152:Tsjx/8ZKhghrGvti28GOYO13yd5jtd9OuftmdfcsSkwJ:iohSwL13+5pd9EffLw

Score
10/10
amadeylummastealcfed3aastokdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://covery-mover.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae7cee2a37b6db87bb902e868f14ff3e666b94ef0f910abb1c1f997986ebc8f8.exe
    "C:\Users\Admin\AppData\Local\Temp\ae7cee2a37b6db87bb902e868f14ff3e666b94ef0f910abb1c1f997986ebc8f8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe
        "C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\System32\certutil.exe
          "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmpADB7.tmp"
          4⤵
            PID:4328
        • C:\Users\Admin\AppData\Local\Temp\1005989001\de8254df7f.exe
          "C:\Users\Admin\AppData\Local\Temp\1005989001\de8254df7f.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1140
        • C:\Users\Admin\AppData\Local\Temp\1005990001\3f5d3722d5.exe
          "C:\Users\Admin\AppData\Local\Temp\1005990001\3f5d3722d5.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5088
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3388
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3212
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
      Filesize

      2KB

      MD5

      0158fe9cead91d1b027b795984737614

      SHA1

      b41a11f909a7bdf1115088790a5680ac4e23031b

      SHA256

      513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

      SHA512

      c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe
      Filesize

      4.5MB

      MD5

      5b39766f490f17925defaee5de2f9861

      SHA1

      9c89f2951c255117eb3eebcd61dbecf019a4c186

      SHA256

      de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a

      SHA512

      d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1005989001\de8254df7f.exe
      Filesize

      1.7MB

      MD5

      b1389ec87bad100fad616612b0f8850c

      SHA1

      2893314486cb66c4454a83f21be67c536dcf0822

      SHA256

      31b4f87080ce3e4bb1425ac640fdf884e0c54f27992177d9006174c9a662673b

      SHA512

      cc16a98f23a91a30cf8042000c5db986c24c20b6cb72faebe94728815f73fa6c12a6a5f0625773a0f2aa46b08736fb4b4ef083192dc94e49fefcbcab3cc9e040

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1005990001\3f5d3722d5.exe
      Filesize

      1.8MB

      MD5

      f311c4e019a62fb6a0151f10f30cc2bf

      SHA1

      33741cc7dbb6c8ab5661b01be59abc95bc2fe93b

      SHA256

      7fe212bf16319044794c1dfae79a8c3c6d6f0f9752eb8682472b54c6b15c9381

      SHA512

      9fef6e8e3c1dd403c906caa6d2afe7d401790260c5bea21992211406c28e43831529ed99ba03d5b2b149cc3e4c196c5bbbe0a822d4ed20bc28d6610c4ac85db7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      Filesize

      1.8MB

      MD5

      7eb364eea0c2b3fbd888a56ed722e620

      SHA1

      899ce1f752474250e705ecb03debc6f654acf6d9

      SHA256

      ae7cee2a37b6db87bb902e868f14ff3e666b94ef0f910abb1c1f997986ebc8f8

      SHA512

      aa968393006cc966323ba29fae087329a914bdf5cbe7abee65c9b9a3a849e64ae543e3030d850b230d23868ec3a99d17ffb0951c3ccdc0ec7e99624653e6052b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TmpAD76.tmp
      Filesize

      2KB

      MD5

      b19a11965de37e496427234749835b26

      SHA1

      9515cea270cb49c21f4469c06bc7e9f6bc72d725

      SHA256

      7bc12ee97d31e00746a203d42c18aebab6b43246508269762bac74fae4f9cee0

      SHA512

      265f5175aa40a0809e627ba79468b2c41cd6c2a9c52c58edb0c4eec30334118714c6d60f546de782152acd912723ce01d8303082adcac42fbc13bcfdc1498e42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpADB7.tmp
      Filesize

      2KB

      MD5

      0d75207d497b5165758ec2cb8e0fbb71

      SHA1

      c07029c2ba769a4261ee863a6022d5353326b1b1

      SHA256

      2ce01ade4d04b6b86fc8cfea6d234eb950403df01e2e1fc28bf25492a52a10fa

      SHA512

      d850f345b3a7cbcb28a91c70db5ad4d74a9b9b28858dbd458c4ce9bfe29f2ae0e9ac9dfa6a68084aca85717bba001b0f6c925e90301cbbd5b3ff390350fa2278

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1BB5164CA9926EC73600477060415A2675CB8C1E
      Filesize

      1KB

      MD5

      8560c23ce76a9c7e77dab55728ebc1bf

      SHA1

      478bf8f7a0186fb723b9408764d3cda8bbf3893d

      SHA256

      6b0657f973854da0094511baea57e5c4f6a71af6176c67a67eacda2c9057bc0b

      SHA512

      48bb1ed8919aae04a52c61a4fcc24629ff09d211a1da95bb6024cbac1d2e35cabfba790a2417ebdb973abf261a9324ee4f5c116bc056fa0d41164bea7087c51c

      Download Submit

    • memory/1140-85-0x0000000000AC0000-0x0000000001157000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/1140-109-0x0000000000AC0000-0x0000000001157000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/3212-138-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3388-130-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3612-0-0x0000000000FD0000-0x000000000149A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3612-15-0x0000000000FD0000-0x000000000149A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3612-4-0x0000000000FD0000-0x000000000149A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3612-3-0x0000000000FD0000-0x000000000149A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3612-2-0x0000000000FD1000-0x0000000000FFF000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3612-1-0x00000000776F4000-0x00000000776F6000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4536-20-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-131-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-144-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-143-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-142-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-21-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-108-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-110-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-18-0x00000000004C1000-0x00000000004EF000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4536-141-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-127-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-140-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-19-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-45-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-132-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-133-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-134-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-135-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-136-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-16-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4536-139-0x00000000004C0000-0x000000000098A000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4760-40-0x00007FFC5A1D3000-0x00007FFC5A1D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4760-41-0x0000025DBE9C0000-0x0000025DBEE50000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4760-43-0x0000025DD9930000-0x0000025DD9AF2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5088-128-0x0000000000690000-0x0000000000B2A000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/5088-126-0x0000000000690000-0x0000000000B2A000-memory.dmp

      Filesize

      4.6MB

      Download