Overview

overview

10

Static

static

3

a9931d149b...c3.exe

windows7-x64

10

a9931d149b...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3.exe

  • Size

    2.9MB

  • MD5

    ec45b3daf2d1998ec51ac32dd73e4353

  • SHA1

    e8f3624436c443853cd19dc4e590104130a59494

  • SHA256

    a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3

  • SHA512

    8c127c3eeeb3fedbee970453d487e5bc69da5727d8d144a657ed2842718b79c680b4138a0f1c294fce4c12105018f36c86437af67734000f24d12016359388f9

  • SSDEEP

    49152:cZ/jf/q95mWke8XmcIUJAkGXP5yJBHlyWhavc:s/q95mWke82hUJAkGXBy7Hhr

Score
10/10
amadeycryptbotstealcfed3aastokdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

cryptbot

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3.exe
        "C:\Users\Admin\AppData\Local\Temp\a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
          "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Users\Admin\AppData\Local\Temp\1006974001\ab5e7dc14b.exe
            "C:\Users\Admin\AppData\Local\Temp\1006974001\ab5e7dc14b.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3028
          • C:\Users\Admin\AppData\Local\Temp\1006975001\27984fd60d.exe
            "C:\Users\Admin\AppData\Local\Temp\1006975001\27984fd60d.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1276
          • C:\Users\Admin\AppData\Local\Temp\1006976001\2b8f260712.exe
            "C:\Users\Admin\AppData\Local\Temp\1006976001\2b8f260712.exe"
            4⤵
            • Enumerates VirtualBox registry keys
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3048
          • C:\Users\Admin\AppData\Local\Temp\1006977001\e89881a912.exe
            "C:\Users\Admin\AppData\Local\Temp\1006977001\e89881a912.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:2156
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1006974001\ab5e7dc14b.exe
      Filesize

      2.7MB

      MD5

      bf86f8d222211b376dd5c074cc460bed

      SHA1

      ad9dbcde657a50e42e6568e4fe8936c7c64e7cd6

      SHA256

      42b46b32f29bec629e50f10ab57342bb3c01e99c263f0760664bd4f9a8d8fb1d

      SHA512

      ad8069050c837bae46e6f6505dd47081643c4caf01d0a6f35193d188e6935b4071cdc28f53213564eca76853fed35163aee3dadf343d1e9f4f05adf055230c8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006975001\27984fd60d.exe
      Filesize

      1.9MB

      MD5

      98424af4cf040b8ecd7786db97b10926

      SHA1

      938327c7f460914fb7cd12b6a27215d1b7bf8542

      SHA256

      11acb38969b7a96133ffa40b3a2f34cdb0e4cf374a51c2ca1166bb28d44af8e1

      SHA512

      cb508d4b13eb9944d3adafa2df17b4e84bbaa18eeab0119c31a6f6ee4c4765427432c26a638838e665cf6a9f1d1075b567555cc7f7a5169632f9c28552509286

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006976001\2b8f260712.exe
      Filesize

      4.2MB

      MD5

      a3a9797a4b0ce1f732874b14ebe4be70

      SHA1

      e60e69c699bbcafb2da2fee4edc79767c422cbc3

      SHA256

      fed379542f4f9612075be78489e29523ff3c2cff2f218d228578bf05f11a07cb

      SHA512

      540184220d9142bc8878a70d505079f8f341670ead8b5dcad1232a43239b160a5cd499344b2be73fed3173feae7901c016ea89a28cac06776564664526bb3181

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1006977001\e89881a912.exe
      Filesize

      4.2MB

      MD5

      77a19a5113dd28b67356026da711a4ea

      SHA1

      f478578d420c0e9e29abb9dbe4e9129acd4e4cae

      SHA256

      0067ff4551c88e3dfd0edb4aa3d4eaea61a93e188d5e5dabd0a76a82eaa0c634

      SHA512

      e58789664e88d81d18c0785c4313d7a2c2c0dbf6d6e9520bd5986dfbb4b4c75503b35cf376aaf0257af309cceb1b753c231828db02b9c3b570663f71d4b4e8ae

      Download Submit

    • \Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      Filesize

      2.9MB

      MD5

      ec45b3daf2d1998ec51ac32dd73e4353

      SHA1

      e8f3624436c443853cd19dc4e590104130a59494

      SHA256

      a9931d149b64d51f7743f410844d22ed049db4f5be2798f8a5511ecc279be0c3

      SHA512

      8c127c3eeeb3fedbee970453d487e5bc69da5727d8d144a657ed2842718b79c680b4138a0f1c294fce4c12105018f36c86437af67734000f24d12016359388f9

      Download Submit

    • memory/1276-68-0x0000000076DF0000-0x0000000076F99000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1276-74-0x0000000000FF0000-0x00000000014CF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1276-70-0x0000000074B00000-0x0000000074B47000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1276-67-0x0000000004BC0000-0x0000000004FC0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1276-66-0x0000000004BC0000-0x0000000004FC0000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1276-64-0x0000000000FF0000-0x00000000014CF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2156-118-0x00000000003B0000-0x0000000000FDE000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/2156-119-0x00000000003B0000-0x0000000000FDE000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/2488-79-0x0000000074B00000-0x0000000074B47000-memory.dmp

      Filesize

      284KB

      Download

    • memory/2488-77-0x0000000076DF0000-0x0000000076F99000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2488-76-0x0000000001E40000-0x0000000002240000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2488-72-0x0000000000080000-0x000000000008A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2696-42-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-102-0x0000000006B50000-0x000000000702F000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2696-58-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-61-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-60-0x0000000006B50000-0x000000000702F000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2696-63-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-137-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-62-0x0000000006B50000-0x000000000702F000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2696-65-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-39-0x0000000006B50000-0x0000000007040000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2696-136-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-25-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-23-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-22-0x0000000000B61000-0x0000000000B8F000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2696-135-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-134-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-21-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-133-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-80-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-132-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-98-0x0000000006B50000-0x00000000077C7000-memory.dmp

      Filesize

      12.5MB

      Download

    • memory/2696-97-0x0000000006B50000-0x00000000077C7000-memory.dmp

      Filesize

      12.5MB

      Download

    • memory/2696-99-0x0000000006B50000-0x0000000007040000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2696-131-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-101-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-130-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-129-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-117-0x0000000006B50000-0x000000000702F000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2696-128-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-116-0x0000000006B50000-0x000000000777E000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/2696-127-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-120-0x0000000006B50000-0x00000000077C7000-memory.dmp

      Filesize

      12.5MB

      Download

    • memory/2696-126-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2696-124-0x0000000006B50000-0x000000000777E000-memory.dmp

      Filesize

      12.2MB

      Download

    • memory/2696-123-0x0000000000B60000-0x0000000000E82000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2856-0-0x00000000010D0000-0x00000000013F2000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2856-5-0x00000000010D0000-0x00000000013F2000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2856-17-0x00000000010D0000-0x00000000013F2000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2856-1-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2856-2-0x00000000010D1000-0x00000000010FF000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2856-3-0x00000000010D0000-0x00000000013F2000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2856-19-0x0000000006970000-0x0000000006C92000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2856-18-0x0000000006970000-0x0000000006C92000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3028-40-0x0000000000A50000-0x0000000000F40000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3028-41-0x0000000000A50000-0x0000000000F40000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3048-122-0x0000000001190000-0x0000000001E07000-memory.dmp

      Filesize

      12.5MB

      Download

    • memory/3048-125-0x0000000001190000-0x0000000001E07000-memory.dmp

      Filesize

      12.5MB

      Download

    • memory/3048-100-0x0000000001190000-0x0000000001E07000-memory.dmp

      Filesize

      12.5MB

      Download

    • memory/3048-121-0x0000000001190000-0x0000000001E07000-memory.dmp

      Filesize

      12.5MB

      Download