Overview

overview

10

Static

static

3

28b457e576...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28b457e5768f94fc9a91141691a4a7668ee2fad9b98fb41c58820bb9f6b91c86.exe

  • Size

    6.8MB

  • MD5

    db24925856d8bb032a09d71281ea6d2f

  • SHA1

    f5ae538df1068bf08da46890c6886789f72c7e3f

  • SHA256

    28b457e5768f94fc9a91141691a4a7668ee2fad9b98fb41c58820bb9f6b91c86

  • SHA512

    b0694ace6ddceda2c6928eb04bedbd9986fc376c2888c94aaf73e5fff9a39f58ee889df03ac43e01188a95abe4799cdc289c728cf7397b46c12dca35a74377f2

  • SSDEEP

    196608:vb78hD/QysXBE8CjyrJNChI420+q9Eoas4faPB:vb78hD/Qys5lJNKL2tqSoasrP

Score
10/10
amadeyhealerstealc9c9aa5bratdefense_evasiondiscoverydropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28b457e5768f94fc9a91141691a4a7668ee2fad9b98fb41c58820bb9f6b91c86.exe
    "C:\Users\Admin\AppData\Local\Temp\28b457e5768f94fc9a91141691a4a7668ee2fad9b98fb41c58820bb9f6b91c86.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q1f44.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q1f44.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5p31.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5p31.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Z46k6.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Z46k6.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3236
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2f0931.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2f0931.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3A77y.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3A77y.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1544
          4⤵
          • Program crash
          PID:4808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Q360G.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Q360G.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4764
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2412 -ip 2412
    1⤵
      PID:4668
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1532
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Q360G.exe
      Filesize

      2.7MB

      MD5

      9ed1e36985f46f2e8b164f81cef04912

      SHA1

      020ef1719f6c4260b2ca2bd5f131527d2cfe5af6

      SHA256

      6065afb5e0d2aed9b2b67729bf438cb0ed0103e202430d59dca04d516275942d

      SHA512

      74e2f76f5b6f198ce288c9e7cb118c61b7d178ce1e0160ed461b29effa1ba2758f3450d7374295508081e84614446aef179bcf202308c67426d6af4b664fd8c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q1f44.exe
      Filesize

      5.2MB

      MD5

      7905079c73d3015cd055910a4dc646e3

      SHA1

      16201c05a0b88b189a976e9691535408029a6c20

      SHA256

      1f45ffef5a4fc1dbe33ee51f2a0bd6f2f7bb3ae50e711415c276bc34deb41875

      SHA512

      29aa1021028b47c29939826330ac0b78f948ec763a1ee714debbca024356e81b6ee95303e0bbabcb76e59db6f27aed1132103827324ff13fe6959f656c976f19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3A77y.exe
      Filesize

      1.7MB

      MD5

      f09e48c537732a4af348cf06a914b18f

      SHA1

      daffe0df371a7cda4bc9d3684c6d89479f19e3db

      SHA256

      b7eafee6c9c745b54b207f6e10c264a20662715c298394bd8010ae6befb80767

      SHA512

      188e59f226b07c0a87e48b56b2422957ebbebfce7a3749af7a2488bcc94925ff3cda7e1a8f4bbef0815089199a1c6e978a930498dc9a80188ecb996e0bcff8a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5p31.exe
      Filesize

      3.4MB

      MD5

      b72fe7f0b4739e0960f8274b9f799051

      SHA1

      e85d0aa30fb0848a85d418cdc0890c08697c5b48

      SHA256

      26e6670c89654de7aac7794e32f713c38bf29b0774c67cf4c1eb5a24fce6606a

      SHA512

      69873f8501a1b4bcd640d4300e0591479ee83b07b52e436b9944fe4089a9883dd25b28664dd121a029c79e9870d49ad762b5ce8d16fb3d0efb58215eba5af510

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Z46k6.exe
      Filesize

      3.1MB

      MD5

      1784247c48ceec3a18690cf26ccb0715

      SHA1

      4d8bfe218bfcebed7b6b52e9638047869242a598

      SHA256

      344508b0831c06b406c9d924f55fcb1d9994ce02416026346efa3369f5a46100

      SHA512

      6f697b190a9132fb2ed1010bc40bbd5388e9c391853171c1db277368b788621a4df24a20f893300b5b68d7376a1fe048a67731716d2633e70970371a148f4cd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2f0931.exe
      Filesize

      2.9MB

      MD5

      1b7bcef208ce98ddd7c7cedac23d6e9e

      SHA1

      b8c1002938f6888ee97d7ff8f07646117a076ada

      SHA256

      c3d003887a80d9e06453d15cde2f2473e8a37656cc407731ff8a2191126c9374

      SHA512

      97d5b00f9b2e2f539cf17c4bf22b0e7a5b56a8c4311dd31fc230ff00b55434bc514d9fe7677ea68272bcd9064271904ea17dea9a15024b1c14d67d16173e23c8

      Download Submit

    • memory/908-49-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-77-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-68-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-83-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-33-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-70-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-69-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-50-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-62-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-78-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-53-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-73-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-76-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-84-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-75-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/908-74-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1148-39-0x0000000000FC0000-0x00000000012B4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1148-41-0x0000000000FC0000-0x00000000012B4000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1532-72-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2348-80-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2348-82-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/2412-45-0x0000000000EB0000-0x0000000001557000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2412-55-0x0000000000EB0000-0x0000000001557000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2412-54-0x0000000000EB0000-0x0000000001557000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2412-52-0x0000000000EB0000-0x0000000001557000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/2412-51-0x0000000000EB0000-0x0000000001557000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3236-35-0x0000000000A80000-0x0000000000DA8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3236-21-0x0000000000A80000-0x0000000000DA8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/4764-48-0x00000000003C0000-0x00000000006E8000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/4796-67-0x0000000000DB0000-0x000000000106C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4796-64-0x0000000000DB0000-0x000000000106C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4796-61-0x0000000000DB0000-0x000000000106C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4796-60-0x0000000000DB0000-0x000000000106C000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/4796-59-0x0000000000DB0000-0x000000000106C000-memory.dmp

      Filesize

      2.7MB

      Download