Overview

overview

10

Static

static

3

fe5aa73d18...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe5aa73d1812fa3bb706d9451672f86742fee0af447827f16c8c0bd6c6b53684.exe

  • Size

    6.8MB

  • MD5

    e4cd84b379d37c0aa7669c100a31d764

  • SHA1

    eebdf797e5caa7824219392921ab81247699b338

  • SHA256

    fe5aa73d1812fa3bb706d9451672f86742fee0af447827f16c8c0bd6c6b53684

  • SHA512

    be2ff3c2096dd19b818602aca2a94fbd99361f7924466aa11827278a7d8a0f558522f622ae5c39eb4a8f6f93bbc47709ae1616d399e0c5c59b0211941330f529

  • SSDEEP

    196608:P5cjp4ovHI0sB5vC0mJVwHdbbqVygfy0BB2JdrYEm4:RcSovofq0Dp2YgfyvYEm

Score
10/10
amadeyhealerstealc9c9aa5bratdefense_evasiondiscoverydropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe5aa73d1812fa3bb706d9451672f86742fee0af447827f16c8c0bd6c6b53684.exe
    "C:\Users\Admin\AppData\Local\Temp\fe5aa73d1812fa3bb706d9451672f86742fee0af447827f16c8c0bd6c6b53684.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\V8W30.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\V8W30.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9B89.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9B89.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1C05a7.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1C05a7.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:444
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1776
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2n3075.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2n3075.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Q60E.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Q60E.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1568
          4⤵
          • Program crash
          PID:4564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4l448d.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4l448d.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4456
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3984
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2036 -ip 2036
    1⤵
      PID:4160
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1952
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:5096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4l448d.exe
      Filesize

      2.6MB

      MD5

      db50d25b9f957d615c235b376c251215

      SHA1

      a41a85b0ebbe047e9a20dbe61bd63c1c907e6bc4

      SHA256

      c162be8a0ab37a7332fb87ee31cc6a6ca54b4e6ddac6831be15d42e54de5195c

      SHA512

      9b0113b815acbd02f709369c6b8f9831cf54177783267316687261f66862333e82064b2b3ccaaf8c9c3ae1058cf425357edcf12e85b14744083d5cd1c832d4c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\V8W30.exe
      Filesize

      5.2MB

      MD5

      72a60c950abf3ddf3e21c034d5735059

      SHA1

      51eb0ee8af896afb0d5b03f83ceafef8d3bfdc2d

      SHA256

      3ba40d08d2ce5c87342059b43f3de40e978fea098827b2e2b66139b4e001b8b7

      SHA512

      1d8f9a6c8a1ac29e728e99deb21770a6ce8df6f9ac738d8b001092b68e260d313eb76adb860985382042f3c51a21a590679f049e52a00deec8b86286ada20b09

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Q60E.exe
      Filesize

      1.8MB

      MD5

      ee2a93fceb35b772cb6f99409215466e

      SHA1

      edf8566a7959c043f924bb1f59dedf139219dcbc

      SHA256

      03f9a14fb9fcfc10310a90c95600a851a386a1b94262f57d8a1947b0a71876c2

      SHA512

      3f1c77989af99721de4a45ca9a20a23967f2e342b44833a17ea84b32147d5cada4a42b05b6988d056ee1ccb0ea91d0fd8c7ffb975cb0ff03adacf4edccfe6633

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9B89.exe
      Filesize

      3.4MB

      MD5

      a2cff8c4bf7f32ad452d156798e71a55

      SHA1

      edb08bda473dc4732d102fd25b124a672ad5f2d1

      SHA256

      27999a38e09bf704a05c0758531614be5d9285d562ab091b37d1af1e3f23b94c

      SHA512

      f7dd612cd886c9180c907fff261b435eb27fa5560f88118cce959d38eb2dd2b7833f78b73ff220c69fa8feb78ede63d856af498001403e55c3f2598accb57732

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1C05a7.exe
      Filesize

      3.1MB

      MD5

      0712710991097e4a31a239fe12aa2b65

      SHA1

      4e43002e0fb7025e22ac90545958a77c5e5cf520

      SHA256

      1009de6528c68c44cc9be84391d0d3c4df76bb6b689525ef69a61cf5b963221a

      SHA512

      f84e60973f1c41792a2bf49ad456516841fc11c0dca6de8e18c34fef6ec13044c30bf91a74f3f07338e59e35cb49ec67c602b6c7286dba27199e7a46c3b16d72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2n3075.exe
      Filesize

      3.0MB

      MD5

      ba7c5aabcc311b8304bd05af674d3a5c

      SHA1

      5735e0512673cc25f46a9572eff86e0cb19f6d71

      SHA256

      cd51ce4567252139b5f116f92ef5609b1566a3f28048e4eacdf9cf4f2800ce48

      SHA512

      aeeb7e9c51c9ba9d95c7601b97f54e4a0b421a8617bfa7e6f1f97d1da392f211364ab1c0e3f0ba394f2be501a485812dbd62dcd1cdf4093dd1560474ebacf427

      Download Submit

    • memory/444-20-0x0000000000410000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/444-35-0x0000000000410000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-46-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-52-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-82-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-45-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-68-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-78-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-77-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-76-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-75-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-79-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-74-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-54-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-62-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-33-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-69-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1776-70-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1952-72-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1952-73-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2036-44-0x00000000008C0000-0x0000000000F6C000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2036-53-0x00000000008C0000-0x0000000000F6C000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2036-50-0x00000000008C0000-0x0000000000F6C000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2036-51-0x00000000008C0000-0x0000000000F6C000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2036-55-0x00000000008C0000-0x0000000000F6C000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2596-39-0x0000000000A90000-0x0000000000D8E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2596-40-0x0000000000A90000-0x0000000000D8E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/3984-49-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3984-48-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4456-59-0x0000000000180000-0x000000000042C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4456-60-0x0000000000180000-0x000000000042C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4456-67-0x0000000000180000-0x000000000042C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4456-61-0x0000000000180000-0x000000000042C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4456-64-0x0000000000180000-0x000000000042C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/5096-81-0x0000000000EE0000-0x00000000011F5000-memory.dmp

      Filesize

      3.1MB

      Download