Overview

overview

10

Static

static

3

33d74d9b6a...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33d74d9b6a0e62163eec0f0945a4c6747de22d824bf176a15cf88d4c005e781c.exe

  • Size

    7.0MB

  • MD5

    c421d8aff5a33011d73da4c721e22a83

  • SHA1

    94332aab52a78832cb6f818043450b96d9d5a630

  • SHA256

    33d74d9b6a0e62163eec0f0945a4c6747de22d824bf176a15cf88d4c005e781c

  • SHA512

    3d4113e7b11414c00294f2fc2d6b9b25efdd59c043f9b5e27982f360fb8058f2779ab4c5ed18e98493adcbe10481db00a4c19ea26427935786e2f0aebfbd2493

  • SSDEEP

    196608:oZRoaLtusdfix2FsNDMhXpb3TJ3t9Kn3+:oZRH4sdfixZOHbNZ

Score
10/10
amadeyhealerstealc9c9aa5bratdefense_evasiondiscoverydropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33d74d9b6a0e62163eec0f0945a4c6747de22d824bf176a15cf88d4c005e781c.exe
    "C:\Users\Admin\AppData\Local\Temp\33d74d9b6a0e62163eec0f0945a4c6747de22d824bf176a15cf88d4c005e781c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K8c82.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K8c82.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2W75.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2W75.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1B00D8.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1B00D8.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5012
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2p2950.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2p2950.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4764
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3N94z.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3N94z.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1564
          4⤵
          • Program crash
          PID:2336
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e252B.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e252B.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 392 -ip 392
    1⤵
      PID:3496
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2420
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e252B.exe
      Filesize

      1.7MB

      MD5

      6b5c46ef101f1514c6a76c2adad390e6

      SHA1

      a5c79ae023cef430bd2192d55a739298b637ba07

      SHA256

      7484ef96999b317aecbf4a1a7a24e1085fedaca44e5897fca2b26f9cc84a10a9

      SHA512

      20e7d323bef13d1c7f442196c5a5e83ec54440423ce1721f182ac4dd81ff8b481fd294cfab7a5ad288325b1f29873b02d4f567b0761ec81aff442883e0ac5320

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\K8c82.exe
      Filesize

      5.2MB

      MD5

      b1e4e3faab2e7728ac25ea011a3e671e

      SHA1

      699b6eace2178892cb1da5b9d6286e23b40bb20b

      SHA256

      584a7387d91a2dbb02390ea4cd940dda2710a153d513ff55a54906dd978500c1

      SHA512

      2b6098ed75949ed7dfcae346f187c9c4ed9611810c6d704b454c497ee9f4201a02abd33c39dd412a4d5ee1e83269fd11f5bd33c07caba80d97d899ba01e5680f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3N94z.exe
      Filesize

      1.7MB

      MD5

      83065aedb74a916c72a8dfdf8a5da4c5

      SHA1

      ace88826a1d2d2ace0d01a013394dc5a719499ed

      SHA256

      4bd09cf18bd1f5aff3545195b31ba49cceb43c47da56fbeb1f095b724f1d151d

      SHA512

      4811027ab2d84b3bdddcedcc7a2f8e244301bfc1f588dabdd9ddd2108e4e9a1f70d309b1d57b03c467a6d4d7b0a28c3ecb52a3ee58b68365f6b4a3b985bd02f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2W75.exe
      Filesize

      3.4MB

      MD5

      ea9d4f684d03201e713707f28cb5a6ce

      SHA1

      1b436dffd7f5e9f341dde6c8bcd4625336203321

      SHA256

      ef1666f4bc8e5a9cbb94c9f60507868e9d6f068ea43f3f9c1f479d08685730b4

      SHA512

      b0171f0f457e8b33052d3de86cb182ebeb8c82ddccc71b5dabd1934f9e994f6226e018c12dfaf02fd328e0b24a857631b058ee528820eafcc2b8bd351bd9497e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1B00D8.exe
      Filesize

      3.1MB

      MD5

      2062dcdc01cc90cfb899a5edb335321c

      SHA1

      2c1e3b929b604cb5b613d21b575c1af80a257fc8

      SHA256

      80d201f199f9369804d56514acf60612bdda4efee14e6706b82fa236e8219176

      SHA512

      93970d655fb52aee667a27ff5e9ae107ba93df6989f3bd65dbdacc47bf11badccda70b91ec5aaac057883ee7402fd557c4bf65b4c62892e679451adcf0f0b605

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2p2950.exe
      Filesize

      3.0MB

      MD5

      365bd725085ce5884e88224f933c579c

      SHA1

      e0873bc3b410a64eeb3606ccf024e9be52340846

      SHA256

      ab03addde6dced8a7eddffeddcd9a0f37287806349cc3f0f974ca636728d336a

      SHA512

      6a73b9ea144f15091751cded0be9d23f9015bb6c6eb5977689ab1a83ca0578c5e46680abd22d2c435c89be2fc1d7b5fe0f73ba20b07ef9f021aab2ffab5d8813

      Download Submit

    • memory/392-50-0x0000000000730000-0x0000000000DCD000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/392-48-0x0000000000730000-0x0000000000DCD000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/392-52-0x0000000000730000-0x0000000000DCD000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/392-44-0x0000000000730000-0x0000000000DCD000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/1920-74-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2420-66-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2920-35-0x0000000000D40000-0x0000000001055000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2920-21-0x0000000000D40000-0x0000000001055000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2960-55-0x00000000005E0000-0x0000000000A40000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2960-57-0x00000000005E0000-0x0000000000A40000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2960-58-0x00000000005E0000-0x0000000000A40000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2960-65-0x00000000005E0000-0x0000000000A40000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/2960-61-0x00000000005E0000-0x0000000000A40000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/4764-41-0x00000000000E0000-0x00000000003EE000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4764-39-0x00000000000E0000-0x00000000003EE000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-33-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-59-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-77-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-51-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-49-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-67-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-68-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-69-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-70-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-71-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-72-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-47-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-75-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-76-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-46-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/5012-78-0x0000000000EA0000-0x00000000011B5000-memory.dmp

      Filesize

      3.1MB

      Download