Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-12-2024 10:20
General
-
Target
7799197bff28707544d1c92e81250479de08e605210d39ec4b395a89e9489ccb.exe
-
Size
2.9MB
-
MD5
c3ee35c8b65f7b15a8941b2dee05835e
-
SHA1
62a6c389a94fff3eb70a308b29aa7ca8444dfcc2
-
SHA256
7799197bff28707544d1c92e81250479de08e605210d39ec4b395a89e9489ccb
-
SHA512
cce2363ac083c3929839a430e0219c28da3b2d805edbb059e5c40a00ed659b9337635dadc9db86acc86993945533c4661fcaf637a22ab349306d69221b0d8789
-
SSDEEP
49152:JtFTAjdF8vSRDsEJ+rjNLYKiBU/RIH5H+Y7eXsZXarBt8Z:BqdVRDIrZY+JIH5hCcZXIS
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 9 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7799197bff28707544d1c92e81250479de08e605210d39ec4b395a89e9489ccb.exe"C:\Users\Admin\AppData\Local\Temp\7799197bff28707544d1c92e81250479de08e605210d39ec4b395a89e9489ccb.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007638001\a74ee40818.exe"C:\Users\Admin\AppData\Local\Temp\1007638001\a74ee40818.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007639001\39d799b320.exe"C:\Users\Admin\AppData\Local\Temp\1007639001\39d799b320.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\1007640001\2a836c562a.exe"C:\Users\Admin\AppData\Local\Temp\1007640001\2a836c562a.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007641001\4393a7ee27.exe"C:\Users\Admin\AppData\Local\Temp\1007641001\4393a7ee27.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
2.8MB
MD5afea54bb6f5e4adb448036812363ca2e
SHA19626b3093dc9c9aa2982462b14258b7ff9f8e256
SHA2569742f2ebcfdac7645f7872e538cfde538ad165eab94e1f934bb8ebd1ab18aed4
SHA51259231960ead5c1001e03164248fe3d771aadba467cfdbcf30138286962ab779961c6319b417bd6a751bcfe432fb56efc5d35a225a9965ee07d60809e60484527
-
Filesize
1.9MB
MD59b43474fd844676d97d016d9d037bbcf
SHA1078b35dc7f41594097c7b44c48355ecc69561705
SHA2560bf7baaeecf805b63fb7c3db3a1e0df9be2d92cedc384108be9cc676bdf8619e
SHA51203c71fa8b1f58ff01e9a73b0788e65ccc2ffb7a56e632ca2c1d316c9114f3c3472a3639553cabc92ba6ac43d98f72cb852055bb46af21c929a5b6842f28c8b51
-
Filesize
1.9MB
MD51f39fac8d8f8c1e3e0697ebf585af36c
SHA1f98243a6bdea8f7de4cfa02d157e94b1cf925f51
SHA256ec2349f4f55242a8328a7f11c5013a7525fa05aa18a680c1d82f2d6d93e6e1ad
SHA512ebf1551cc77e6f815f18ebd38ffc3b581fbc0b07642175db9178652e3cad6be0a38bf978ea09d46815ca64b1482a87261ac5e34303b14420ce89c7c684a7aaed
-
Filesize
4.2MB
MD50e6e12f9a9c017b4be17933aeacd543c
SHA14c8fda6bdcbb813081a6d72bd6ad3ff430e17bee
SHA256738cdc197a8ece363679b55f005dccd3a943e4b333d69e946f80ff6c0445cd87
SHA5124050a406f72c3842fb207b40c77a153f96b863029e191cddae1ab1f59b3ba6a8f49a5de46e0a7159382fc101e1199a5c14d54f8eff29d55a246dfba4a232cf91
-
Filesize
2.9MB
MD5c3ee35c8b65f7b15a8941b2dee05835e
SHA162a6c389a94fff3eb70a308b29aa7ca8444dfcc2
SHA2567799197bff28707544d1c92e81250479de08e605210d39ec4b395a89e9489ccb
SHA512cce2363ac083c3929839a430e0219c28da3b2d805edbb059e5c40a00ed659b9337635dadc9db86acc86993945533c4661fcaf637a22ab349306d69221b0d8789
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
112KB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
284KB
-
Filesize
4.0MB
-
Filesize
1.7MB
-
Filesize
4.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
284KB
-
Filesize
40KB
-
Filesize
1.7MB
-
Filesize
4.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
3.1MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
5.0MB
-
Filesize
3.1MB
-
Filesize
4.8MB
-
Filesize
3.1MB
-
Filesize
8.5MB
-
Filesize
4.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
12.5MB
-
Filesize
8.5MB
-
Filesize
4.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
5.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
12.5MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB