Overview

overview

10

Static

static

3

9d892990e6...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d892990e6a65928dba3e790f3f9ad7e10d425c561c5ef9c6cbf410f47ce3610.exe

  • Size

    6.8MB

  • MD5

    0c2e9c4df198147c1a6c18702c766c13

  • SHA1

    6f6f7c12603479ed116083c964a02df224f5b60d

  • SHA256

    9d892990e6a65928dba3e790f3f9ad7e10d425c561c5ef9c6cbf410f47ce3610

  • SHA512

    d4b87bc33c73964bffef84a89a8945f9799262e215fb2938f16bd44f0fff2c2f4e7c9e13cc6e9f169437c4f77f0c9e54e349939908d8e5e197413f4c2488eccc

  • SSDEEP

    98304:bjlCzhG2uwbBpbwMkCCMjGQPHLBhvNDbrhlgZmq7Faau019szmKGNmFjTSg+C0BN:N2Y2R1pbwMk6GQPBfvca81SCUjB+

Score
10/10
amadeyhealerstealc9c9aa5bratdefense_evasiondiscoverydropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d892990e6a65928dba3e790f3f9ad7e10d425c561c5ef9c6cbf410f47ce3610.exe
    "C:\Users\Admin\AppData\Local\Temp\9d892990e6a65928dba3e790f3f9ad7e10d425c561c5ef9c6cbf410f47ce3610.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2s22.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2s22.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\j0B47.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\j0B47.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1N25c2.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1N25c2.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N4137.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N4137.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3156
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X60G.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X60G.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:5076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1544
          4⤵
          • Program crash
          PID:5112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R586o.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R586o.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076
    1⤵
      PID:1092
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2056
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R586o.exe
      Filesize

      2.7MB

      MD5

      3160e4f39b2c1a0a7249f31af7150988

      SHA1

      b6ea8ac3caae9bf6c985abdccf9871f9b5fdb41d

      SHA256

      28d12c9dc46ffd71a54496fc689d808aa0dc1e7ba52fa213b2dc73f2a1f644eb

      SHA512

      b726b074b8148e880b0e7487917a033ea77b99314c3fa4d6214c1f565a73e70b276ef3b40f68b24be3d267c2fa63240587823e4dca187cf92ad169cb86d1de25

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2s22.exe
      Filesize

      5.2MB

      MD5

      f8469f250916868ccd1ca305996c7c05

      SHA1

      494b99569976e70bf3d4247759495c9372b5cbb4

      SHA256

      f11d310fee7ba05f105ce3fa550c99c4ac832555bf34d8f9d619c1641f35652c

      SHA512

      f96c0870ad89ee6c12bcec56d03a1051ba4b5ab502cef4236eb67dfd06a26ef929523b4134f4f29616474ac1d86d97a50de84406d9e3d5606cad2aecaf9071f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X60G.exe
      Filesize

      1.7MB

      MD5

      0b11da9f066fe2274bb6279b16d670bf

      SHA1

      2a767706454bf4770c369233415a8285864c400d

      SHA256

      a7fe0330982a0ec1d976412ce3c5101a3ab687ba4f48e80ee5f5498ea2e83f69

      SHA512

      fcd421e8c944219d05791c945eca8f5ebde003f12360ad8cb3f0bbe200a586f380725076925833e2b90201c069cae400898818fc2c3f620d60e3dd234a36ef55

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\j0B47.exe
      Filesize

      3.4MB

      MD5

      1ef13c1d9e0cf280641fdcc643046c2d

      SHA1

      6e70228f9dce23226e6f5273e250ff159437effa

      SHA256

      bad730256bf37f38eb4da71988348a1e8c052539e8f1969240040d24f6da04be

      SHA512

      c764e44d4f2b33eeb5802ba1472377c1d19655c9bb578c6387912b0dc4bcce844cb1386d14406030c09aec26b3cad3d7769361cce8ec72e2caf8453e2a4b290a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1N25c2.exe
      Filesize

      3.1MB

      MD5

      ae79503bebe569117982e95d21fae5bc

      SHA1

      c27bb08d93bb158ec3927d56218f177106bce996

      SHA256

      d3a9b5f9e9852ea879639de743f6850609b39960cc94e5284fbea1e24d4cdf9f

      SHA512

      fdc606dc268a880c74aa7bce87e95eb847f46c1a620c9573f771bd5ea83600f149e322d32985662bbc3f7d71466cdf946177edb02f936ffe212a75622a61e568

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N4137.exe
      Filesize

      2.9MB

      MD5

      be767bbecfa446f9dfc0b373bc6527c3

      SHA1

      66fcd30d68f57e73ea4c0926fcf4b707bb9e95dd

      SHA256

      553d5918141cb4da62a80742d6d36d5f0eb0254ecb8e94cd898c99211c1b85c0

      SHA512

      572b8f8926bca41655e11a24c49edc8e88f6f71ba89764c6a43b5adbc6f2cab27e80524dc7ebe6c17129db3d09d15d5826dd8c247844f6fb07ffa8a300285765

      Download Submit

    • memory/756-56-0x0000000000770000-0x0000000000A2E000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/756-57-0x0000000000770000-0x0000000000A2E000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/756-66-0x0000000000770000-0x0000000000A2E000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/756-62-0x0000000000770000-0x0000000000A2E000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/756-58-0x0000000000770000-0x0000000000A2E000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/1740-20-0x0000000000CF0000-0x000000000100F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1740-34-0x0000000000CF0000-0x000000000100F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1808-73-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-32-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-71-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-50-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-78-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-77-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-48-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-76-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-75-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-74-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-61-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-46-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-45-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-67-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-68-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-69-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-70-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2056-60-0x0000000000770000-0x0000000000A8F000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3156-39-0x00000000006C0000-0x00000000009B0000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3156-40-0x00000000006C0000-0x00000000009B0000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/5076-49-0x0000000000B50000-0x00000000011E7000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/5076-44-0x0000000000B50000-0x00000000011E7000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/5076-47-0x0000000000B50000-0x00000000011E7000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/5076-52-0x0000000000B50000-0x00000000011E7000-memory.dmp

      Filesize

      6.6MB

      Download