Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 09:22
General
-
Target
75bd02eef5e0c2d141b8e0191445b06f70f899a029fcc3e6fea3fb25c15fab5d.exe
-
Size
6.8MB
-
MD5
88730a67bbaba4f84c4bbafcde41aa90
-
SHA1
f9b0426df35199de140198222b0c94c057ebef62
-
SHA256
75bd02eef5e0c2d141b8e0191445b06f70f899a029fcc3e6fea3fb25c15fab5d
-
SHA512
847541d538a6b82a7d2f2e19a02df4280ffe315d4bc0c6faf74073d816a4e79b1be7df0af74665e7ce643e46fa0327bf43f80ca3c59fd2b9280c8754640651b5
-
SSDEEP
98304:gEC4seNE+VXF/+zD2AKQ3pZZhr8BmLUfJFpsZ98zfsP5BDZ+UeDLLd1WW2H6Ip:BhtF/+zqAKQ3n8BUUfRuBDsUm1WpHV
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\75bd02eef5e0c2d141b8e0191445b06f70f899a029fcc3e6fea3fb25c15fab5d.exe"C:\Users\Admin\AppData\Local\Temp\75bd02eef5e0c2d141b8e0191445b06f70f899a029fcc3e6fea3fb25c15fab5d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D8o51.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D8o51.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9M33.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9M33.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W45c2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1W45c2.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2M6062.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2M6062.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3f72C.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3f72C.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 15524⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4i075O.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4i075O.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4820 -ip 48201⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5680b734904d2c06188120f711a04fb0b
SHA1119a1036fc4e0dfaa20161e5cbb95fa0eccfd2eb
SHA25616d15285e09f9fcb44f649dd3cdb60bfa3a80f46ccb3c1c72865d873b01be05a
SHA512eafe65932f8b75e8af74bbc72f68abd50edc70880af6090f98341d88045f696c98b9cad25d37a41794378646da96845c55fab440cc52d1af9d878ee8779c3b3c
-
Filesize
5.2MB
MD546ac285b2445dc40de436ff2a267e27d
SHA119ffe3089d2f1497477dce6019edb99ece1d989b
SHA2563da1c2aa00c2fa1fa4474e7c52ffd1cb67f5fd805abca95eb50753371756f68a
SHA512dc5f1134e9ffeaaaa1daad1827e9b1c1748571fdf2776d6cf019729520a602e87b3df54f02254d7207a4e6947c79b6a3ea81e77fe8a946a59558c131e92389ce
-
Filesize
2.8MB
MD542b028b291d1a3fa0d29bfac364120bd
SHA169c6f40ecd067ec1b40f76ae2027e6ff3e8a1489
SHA2562b2f509e03cd5373d2d1fb4cb8de1f3b7ce6efdcfdd552149fcd3df4c8081176
SHA5120bbe158a1a5a427b93d73ffd63dc87ea4484ca7dcd7208323784e7e52d9b06d93e4e4a81b6a1937a19ce75a4ac66c78c0e41d45d44550a487b86582539ffac08
-
Filesize
3.5MB
MD5e044d0b224e5fd588b1eb360d00f2951
SHA1179d05e10cffb25aad6dc0d271d2c30c141078dd
SHA2569895a84e8daefe0c99ce7bb8e53571aa95d6122cf844660631be5a18fb712fd3
SHA51270595f357ee768120c98144f202ce76a1f96f88cdd4d8826375b00edb663bfb472bd01e696cc9e32de4b8445b75ac9edcf2376e31a82d9e68f9e819f16c9a604
-
Filesize
3.1MB
MD50e1a8ebf6eba102aaecaf8f7c5856223
SHA105a7580a01e5e9996ba6267e515bedb75fbe33bf
SHA25674b5290b8e5833a76884a28980c7f5ce27f6757109759848c5437a7410ef020b
SHA512c299b26f9cb948d32e24cb1101f53254455c0056b00a035781f47563a61fc52caf5fae0b1209253e381d5e7e67b662574451308da8c7bd67c103a0af233e7d7e
-
Filesize
1.7MB
MD5e9dcb1f16b0f4d16dda27e91e9f394e0
SHA147f99cb7c1ccb5a57a95debe478e4bfc7ff07d37
SHA2565d7de4e442a2e7772b4c899d7bfa4eb61e1185d130fbdbb109e0de4f5bf1ef2f
SHA51254d9754a741a63637aa565598d4b7db42c27ea86bd37df11b4b91cb543f469e56e02c675ed8d32b0e0b5a303e2079ae55fb3c552c1c7132791cbf1810a51e0fe
-
Filesize
3.1MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB