Overview

overview

10

Static

static

3

0bfa88e137...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bfa88e1370bd7dd80b0e8114e204bd1d8bd8ecb818bbafd1fac8fe03ab90811.exe

  • Size

    6.8MB

  • MD5

    f4c2094830af40c3be9d9295174a1a12

  • SHA1

    a72c84e8d9aa42d5687b8199315325f4409d7a68

  • SHA256

    0bfa88e1370bd7dd80b0e8114e204bd1d8bd8ecb818bbafd1fac8fe03ab90811

  • SHA512

    ee1137e38875c025ec97b6ab6eefd9410a639ffa165bd8e4028401bd437ec4fb4f4c52d5584a9ed73fd8d350237292e4483a511eb7f40b988ca12d288057262e

  • SSDEEP

    196608:8fvIIAmVgM+GotPL8sD/cFO1XUPAY8GCXIQ+:uvIIHOL1EFCUPAY+X

Score
10/10
amadeylummastealc9c9aa5stokdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bfa88e1370bd7dd80b0e8114e204bd1d8bd8ecb818bbafd1fac8fe03ab90811.exe
    "C:\Users\Admin\AppData\Local\Temp\0bfa88e1370bd7dd80b0e8114e204bd1d8bd8ecb818bbafd1fac8fe03ab90811.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1y58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1y58.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6T54.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6T54.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1I12N9.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1I12N9.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4884
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z1707.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z1707.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3J83p.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3J83p.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1484
          4⤵
          • Program crash
          PID:3520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C590n.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C590n.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:820
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4140
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
    1⤵
      PID:4352
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1944
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C590n.exe
      Filesize

      2.7MB

      MD5

      89552ef846075f39f6d21e9369bad5e6

      SHA1

      84dc75b438af5ef48e391922ff29d31afe22c09d

      SHA256

      fb7af8be5f3b0fb8efe5f888f60cbdd721bcc30e57d2348a6cf7e9ae5d44ba73

      SHA512

      ba113381e61f5058b6f55399f96538499d5dc043657a345113ad0096ab0c044395d78901eb2c909557f5261227d323c805e99a0921ab5ac28bb3aced802c6c5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1y58.exe
      Filesize

      5.2MB

      MD5

      ae8fd2e316492ec86ee8bf6e7ac148c4

      SHA1

      4f60a73ccb8fc9b0915fe3f05750a7da70a06ecb

      SHA256

      ebbef45e8006f666f06bcdd37178079b010f6cee1733630469f76a5c8671be7b

      SHA512

      98112bd4176b09c1528d2458c0ac360d62ecf9cf95342b0c361a9bd08d6505b60b44172c3f6d01d162c4848901e2d120900e3a0d8cd51346a8b8ae38c7ce7e22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3J83p.exe
      Filesize

      5.0MB

      MD5

      1a0527b260fa04d76f3681a8e8c073e8

      SHA1

      30770bf1453e27aaa646012fa206d1dce9303ee7

      SHA256

      cd4983b57559febd4defa362f134cce10e56878b1009d7ce7c8b921e3a663e0a

      SHA512

      1276727d328ded813f70ea4c1b6475aea0fdc4ecf77b1b924d39699c547e76bf6d352eda4fbc63d298d2ef407cac1686b8addfbdd4bb92f66b09379b0114340c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s6T54.exe
      Filesize

      3.5MB

      MD5

      1db21fdaa57d4e3a3f9a12fd472e9dd4

      SHA1

      9bb1c1754ba19160ea360dee4e0c847e3ef35b8f

      SHA256

      18123d4a95846a316bd2188378811f53019854b63814ec90512a723ab63c842c

      SHA512

      03a241aaf61266ee95af9d18c1cc67ef302ac70982a1626c97771d56165e4626dee0bd76295d0206e03fe3a706edd71687b505a878bacd715b5dd0f031b8cbae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1I12N9.exe
      Filesize

      3.1MB

      MD5

      1c118d7fe75b1ad72fa3d058e23d6fe8

      SHA1

      800d1f7f69c3402b8a71c97087590388c9338969

      SHA256

      c2c33c001c306f2699d9749bc0596c3ee856a6ada67f32a6f15e03acf390c0fd

      SHA512

      6b3b8abafef71a426f9851bf1067becdb69a34881460308605d06e667babb7f7c72fed53b8f42d555e04b7c3b172b6475db95c5988fce47f7a74bbb463aca8a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2z1707.exe
      Filesize

      1.8MB

      MD5

      8dfd2ea00fdde8c44a5c9cca9b3a1282

      SHA1

      7b5706096da014004a204113a729a5bd8eeee89e

      SHA256

      02e2b7baf57cc228049864c9e29674714b8a4b4021afc3306604cdb2512dc193

      SHA512

      9a5acab39684ddcd516debd3f5f075d584628700f7458e2448befa8e77cb78d3c6f520efdb93d825ba97d515a91a93752c15891d3ae147e9190bba9140bba099

      Download Submit

    • memory/820-57-0x00000000000F0000-0x00000000003A8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/820-65-0x00000000000F0000-0x00000000003A8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/820-62-0x00000000000F0000-0x00000000003A8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/820-59-0x00000000000F0000-0x00000000003A8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/820-58-0x00000000000F0000-0x00000000003A8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/844-81-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1944-71-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1944-72-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2836-34-0x00000000000E0000-0x00000000003FA000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2836-21-0x00000000000E0000-0x00000000003FA000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4140-49-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4140-50-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4488-53-0x00000000002C0000-0x00000000007BC000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4488-52-0x00000000002C0000-0x00000000007BC000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4488-44-0x00000000002C0000-0x00000000007BC000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4488-47-0x00000000002C0000-0x00000000007BC000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4692-39-0x00000000006B0000-0x0000000000B56000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4692-40-0x00000000006B0000-0x0000000000B56000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4884-51-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-68-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-82-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-45-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-46-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-69-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-35-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-60-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-73-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-74-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-75-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-76-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-77-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-78-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-67-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4884-66-0x0000000000560000-0x000000000087A000-memory.dmp

      Filesize

      3.1MB

      Download