Overview

overview

10

Static

static

3

f37b2cfa40...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f37b2cfa40867a933f1a65fdb513ce826e5115f645f507bf5c42a0d1729a2884.exe

  • Size

    6.6MB

  • MD5

    cb283a31407d89e3d473a4a3c6bccb12

  • SHA1

    32321b03c7956418fc427394167bda255600ce07

  • SHA256

    f37b2cfa40867a933f1a65fdb513ce826e5115f645f507bf5c42a0d1729a2884

  • SHA512

    a5cf0be1723c5320e7785f397b03505c74d2ddf62afc3d5161f140a5532495dd894c66b6f39861c9f3c5e33e87c8008cc03ce296330e61a125cd1aabb459b646

  • SSDEEP

    98304:4cPNr/jVQ3HgX2btYqDyH/+FPLZarPITMDWo+P2YGUYd6kPitfCqKkJq:4cPp/jVQ3MCGf+FPLZewTMDWYYvY3Zq

Score
10/10
amadeyhealerlummastealc9c9aa5stokdefense_evasiondiscoverydropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f37b2cfa40867a933f1a65fdb513ce826e5115f645f507bf5c42a0d1729a2884.exe
    "C:\Users\Admin\AppData\Local\Temp\f37b2cfa40867a933f1a65fdb513ce826e5115f645f507bf5c42a0d1729a2884.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U9K72.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U9K72.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z7a71.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z7a71.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1i62L2.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1i62L2.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4756
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:944
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N7615.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N7615.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3n45j.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3n45j.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4084
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J327b.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J327b.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4J327b.exe
    Filesize

    2.7MB

    MD5

    ab1555048f81ac35a022ba052db436f0

    SHA1

    174e53a86aee235799e575f13968f723a5c3ce35

    SHA256

    39cb7f251949d459f1fbcbc9f6d14e91d1cd97ca245db052680d993f1d0c8a9d

    SHA512

    e535e7fceab1253d6ffcb9e5d55716d64d25844f2c70d3e44a2cb428fbb77fe3012eecb2eefb3c71ea3f25252779020c28cfa4effd6a94a354dbcf4764162a0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U9K72.exe
    Filesize

    5.0MB

    MD5

    5dcb6be62525d9ff24fdaac28939e52e

    SHA1

    3bedafedaa87031bec9b733e7180ddbff02867ab

    SHA256

    009e2f1b08de8adf8f228c4281e67293a5d16cd875f92420c5db11f147c45156

    SHA512

    b572b9028c3e006c760a2397769d6c333ba1bfbdd29de3c5efd7c94c63f206f05b49b1e6cc52f9c164d770bf51fbc8bbd6c44273a619f51b41f4d09696f172fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3n45j.exe
    Filesize

    4.9MB

    MD5

    48575481fb3b42ee40e6e2076c17428b

    SHA1

    d5fca3c02ab4c0ae6d6a2701008fdeb4f5bb78e0

    SHA256

    f6ba046ab0fe30b63d4aad134e666f63130d4adf2782a48bdfb904e3a6eef643

    SHA512

    131c00189e25ad2bb8b096df865352e3a94d71ff84e5fffdcdaa1a7413e9bdb5f6b9f30567a9a200dc942a93ac06f72c8480189f86ae2b5b2b57e24287b355e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Z7a71.exe
    Filesize

    3.4MB

    MD5

    b223a7c562f023ea3a5eead6b4001c35

    SHA1

    08aa62ef7bbe345ebcefe90c7bc42832d7b362fc

    SHA256

    17d563059831b5fde8164aed9c72b09c0e0a5235055dd43a1ac5a0095af37bf3

    SHA512

    bf5033d774923bf8b7f87b9063c7a5e4f97e96cbee39aba037a2150b859e11990a0b907e0942ed88d6fb5c89ef17d448ee7a380d706dc7fd4c5bd66d6954d701

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1i62L2.exe
    Filesize

    3.1MB

    MD5

    9bf86da11eb43c6a3929aca3954c8b9a

    SHA1

    b92b7b9ea66d6b37efad4ea4ef57a9b91af8db7c

    SHA256

    fb4ab4e85d5b8e0eec8416ed4b90cb4bfc74120d3d459e975cd9eaf2c32a0ed3

    SHA512

    7619a126cfa132f6dfb9daa8351488b0ff0d2a4cf2a46b1c16288c54d556c0b527afa40c800f6d0bcda64a6976ae66f1a96d8873f44af29b6c550b0f597a30cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N7615.exe
    Filesize

    3.0MB

    MD5

    0e2fa893f58b30d6be75288a02e917bb

    SHA1

    cd7bff7bffd4ff9b791572f74ff2b09f7661777b

    SHA256

    53e57c2f07359de76158544b0fbb305d9a0f3d6b0b41f326db64d3c2dddcecb0

    SHA512

    ed04f3092e5c7e3ecd7963e4d13f6b2cebaa40a412629c0e71b2fadf42a1d9998038d94a7c54f1d5b9c73456f0e690383d8409c8078ba652d33934498936a93d

    Download Submit

  • memory/944-37-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/944-31-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2684-34-0x0000000000280000-0x0000000000583000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2684-38-0x0000000000280000-0x0000000000583000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3112-51-0x00000000005D0000-0x000000000088E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3112-54-0x00000000005D0000-0x000000000088E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3112-50-0x00000000005D0000-0x000000000088E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3112-57-0x00000000005D0000-0x000000000088E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3112-49-0x00000000005D0000-0x000000000088E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3464-47-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-60-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-70-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-69-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-52-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-27-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-68-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-58-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-59-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-67-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-61-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-62-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-63-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-64-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-65-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3464-66-0x0000000000320000-0x0000000000641000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4084-44-0x0000000000720000-0x0000000000C0F000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4084-42-0x0000000000720000-0x0000000000C0F000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4756-21-0x0000000000EC0000-0x00000000011E1000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4756-30-0x0000000000EC0000-0x00000000011E1000-memory.dmp

    Filesize

    3.1MB

    Download