Overview

overview

10

Static

static

3

ffa6c59edc...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffa6c59edc896439226c1c92d6eaeeb25460b6b8995289ae144859242beffb03.exe

  • Size

    6.8MB

  • MD5

    ad29963f3520bfd5047a0ac4f3b37369

  • SHA1

    e730b51e6d557d437323e85eb0a3be25622b5e08

  • SHA256

    ffa6c59edc896439226c1c92d6eaeeb25460b6b8995289ae144859242beffb03

  • SHA512

    6088d7f585aff38a376819f5987005929f5f9798c2c7a0871ffff0448a0431b395da88e35362190a8fcdbc04dd521ace66149f1e1447b9f31ef8fb959562dfb6

  • SSDEEP

    196608:Aj3eSZJWAaN8EHIZnwGud39SzySOLM/87vCwv6Zm65BUFyiL9di:KvpnwGMsOvbCwv6Zm6fUUQ

Score
10/10
amadeylummastealc9c9aa5stokdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffa6c59edc896439226c1c92d6eaeeb25460b6b8995289ae144859242beffb03.exe
    "C:\Users\Admin\AppData\Local\Temp\ffa6c59edc896439226c1c92d6eaeeb25460b6b8995289ae144859242beffb03.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f2L48.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f2L48.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Q4z96.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Q4z96.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1L29y0.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1L29y0.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:3048
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2A1731.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2A1731.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3H39l.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3H39l.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1520
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1536
          4⤵
          • Program crash
          PID:3480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U624H.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U624H.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3256
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1520 -ip 1520
    1⤵
      PID:3280
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:5016
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4084

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U624H.exe
      Filesize

      2.7MB

      MD5

      3a07e187cea950c9b1dffbe01135ac8f

      SHA1

      2231123c233b4550cdff10964114410286ed6fa6

      SHA256

      34bad0ee4d935bcc8a1758c5d3aa6075917b8bb81bbeeb460382e9c9579ec245

      SHA512

      1e581b235656a8f5a1bb2cf32a33980f2636d47d7f8c0177220ed7630dcfbb066114322fb3185bdf032dc17bff9c6b2c07e67c13fa750b86554269be01009da8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f2L48.exe
      Filesize

      5.3MB

      MD5

      e59246bd6e928823c202800f4c21ae34

      SHA1

      31526580639576e435ba67a8db2acd945a3be8f2

      SHA256

      8bf190abf5b469ca1fec4496223bea4230c882823658dfa6f1c72ea2657e7365

      SHA512

      3f0cab7b91ac2058e4d6501ac77b3dee00274ee2d80b07a466c1138b5dfeb2ee176780aeac37b1b2858032f9762bca03f8b5556fdf403363b5f0ca35b840e723

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3H39l.exe
      Filesize

      5.0MB

      MD5

      1cd88ba6c43ec0f578f261746327cc9c

      SHA1

      d2c1d38a835fdfc81be5739ae5b863a663118346

      SHA256

      0911c94ce0979522999ab8e796c4e5a3db35cdab27dfd208902c24f77556a967

      SHA512

      1b64ec2e8f48a6486836e5eeba530973317d3f468c3ae00f43b06c0254e9d200c8504d9ac2f17b8220d8fa5b1496bb934f9c950e2616f85fbf7a82192f014ec0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Q4z96.exe
      Filesize

      3.6MB

      MD5

      19ee2a884a86ee7e339053533c397c9f

      SHA1

      2a659972edca18d1ab50bc97811e252fc8c19540

      SHA256

      78b42e274a87e70c81e2aefb60f5610d1abbb62c835e770649a279bf83bc563c

      SHA512

      2611a14786dc1c6a32f549c00e7c9f46e7674bdc4935c8f8b0d5546133feb040989879eef8e65d6568ae1ed2582a84c41e4d642fbee6e61dc3222e0318374888

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1L29y0.exe
      Filesize

      3.2MB

      MD5

      d40bdd850dfa25108f5bfa3ed247b68b

      SHA1

      2c304d0fff00ba515e7d50639433f43c6fb6fa97

      SHA256

      2f35bac81857c12e8ce3283182ac2c2ee03ec207c0351f5eb44c16ffd16787d5

      SHA512

      356ff391e69b4f7e5896502eddf1f50ab352a1e30324e95261f58dd1e65a58d9e8803909592c88040afb092fd7d45ad459400db6309c4e14329c5bbdee8d626d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2A1731.exe
      Filesize

      1.8MB

      MD5

      6be43af1d47558e4993b9c341da5a653

      SHA1

      0bef6b68199ee1f205326d3289b39102978ec1f5

      SHA256

      7e13dd0f50e0ded479413d1061d1d2f73fd2e51639e8b29b22776b4d0ab5368d

      SHA512

      28d30e5d6d6c39eebb4508fce49c40bb35b6075a6b523ca8a9f643b1930fc7a49406427317fffccb374314ec59e50d004ddf6ef7082ce532b1858c112ecc05e4

      Download Submit

    • memory/1520-48-0x0000000000F10000-0x000000000140D000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1520-42-0x0000000000F10000-0x000000000140D000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1520-50-0x0000000000F10000-0x000000000140D000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1520-46-0x0000000000F10000-0x000000000140D000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/2660-33-0x0000000000F00000-0x000000000122F000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2660-21-0x0000000000F00000-0x000000000122F000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3000-37-0x0000000000BE0000-0x0000000001081000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3000-39-0x0000000000BE0000-0x0000000001081000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3048-69-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-47-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-49-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-45-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-44-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-78-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-57-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-70-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-34-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-77-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-76-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-75-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-71-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-66-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-67-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3048-68-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3256-56-0x0000000000940000-0x0000000000BF8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3256-55-0x0000000000940000-0x0000000000BF8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3256-62-0x0000000000940000-0x0000000000BF8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3256-59-0x0000000000940000-0x0000000000BF8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/3256-53-0x0000000000940000-0x0000000000BF8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4084-73-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/4084-74-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/5016-65-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/5016-64-0x0000000000A80000-0x0000000000DAF000-memory.dmp

      Filesize

      3.2MB

      Download