Analysis
-
max time kernel
113s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-01-2025 23:34
General
-
Target
699e840b70ceb65ba8ee87a9f8a3a8e27a24d3c4f93b1d7330ffb550c18d28aaN.exe
-
Size
3.6MB
-
MD5
cb1ecd87e0b3de08f201bdcd8d6c6c50
-
SHA1
2ef38322337a78effceac72df56d76c744dd9100
-
SHA256
699e840b70ceb65ba8ee87a9f8a3a8e27a24d3c4f93b1d7330ffb550c18d28aa
-
SHA512
3cb5ee1ffe122e05bce46b94bcecc5edb47d20178398e45cbc265d6aeca6efd197ba34c632af07cad884ac506faafe11d13229fdd7776eddffc4ed427ce5b674
-
SSDEEP
98304:Hvf5N1TQkd8XbB5tkfDUXLM89F3Y7WlnzC2OA/Z0:Hvf5N1TQkaBXsUXLDTlnzC3AR0
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Extracted
lumma
https://fancywaxxers.shop/api
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\699e840b70ceb65ba8ee87a9f8a3a8e27a24d3c4f93b1d7330ffb550c18d28aaN.exe"C:\Users\Admin\AppData\Local\Temp\699e840b70ceb65ba8ee87a9f8a3a8e27a24d3c4f93b1d7330ffb550c18d28aaN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1j62N7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1j62N7.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2m0273.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2m0273.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5a14fda621fe91d8b673bd93137426acc
SHA13a3094ab0c0caf4287417b951423d435126f4f11
SHA25682752dcbdcfec66485429870f35a625f2c817d5fc58d0c29e2e545a570f6c3c5
SHA51291015aa5df1a90cfb72c862c0dc0020db83ce10e0ef85850f38a5f59a03710ef32d42eaa1f2ce396825b4859ae012efc5740f91fee2a68a8ca4b7cebd50ae95e
-
Filesize
1.8MB
MD574d81c956c1bb54f6d3c7c98c6eaa982
SHA196704c7f4f7c61459074d35795a2327b9ef8b7a4
SHA2567145e691801013f96f6b3396f5c9475c0530c3918f5935f85c27f08bae4c4872
SHA5123099c2d171dc546937b261bb1cf5a64a343b6c69152378f9dcad1138daec9838f70c014b8b5a8ad96636e3372fc908d7b6527d36641c1fe53fc81b89b135600a
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB