Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
boob.exe
Resource
win7-20241010-en
General
-
Target
boob.exe
-
Size
391KB
-
MD5
0f0da8c280a042a2d402eb0cd44118d6
-
SHA1
6be83472e2c0827b15ec819788298bb21f35c00a
-
SHA256
c19ab09c794ba5b102deb47330e3806380b6f547f8f84564ec17491087cb9fbb
-
SHA512
a54645fcdfb844bad2bf429f8d80a8a4dc41c99bcf896ecd6f25cc6b3341e23da72fb6376e17685f0bcb3ca62dd13fb641ec022cd724f51f0417aa109a88d960
-
SSDEEP
6144:Tux5lfopCjuxHCkCjiIFmZVNxNWU9kFXLcU1yeCkSjEgUQ+iGg0ZTYoe:45lwk4in2VfC9wAyNkQWQpGgqTYL
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
reno
http://185.215.113.115
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://paleboreei.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 171a45c8a1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3f1394bafa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file 5 IoCs
flow pid Process 10 2568 boob.exe 12 2324 axplong.exe 12 2324 axplong.exe 16 2324 axplong.exe 19 2796 skotes.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/3016-1-0x00000000010A0000-0x0000000001108000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 171a45c8a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 171a45c8a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3f1394bafa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3f1394bafa.exe -
Executes dropped EXE 5 IoCs
pid Process 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 2324 axplong.exe 940 171a45c8a1.exe 2816 3f1394bafa.exe 2796 skotes.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 3f1394bafa.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 171a45c8a1.exe -
Loads dropped DLL 10 IoCs
pid Process 2568 boob.exe 2568 boob.exe 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 2324 axplong.exe 2324 axplong.exe 2324 axplong.exe 2324 axplong.exe 2816 3f1394bafa.exe 2816 3f1394bafa.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\171a45c8a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019179001\\171a45c8a1.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\3f1394bafa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019180001\\3f1394bafa.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 2324 axplong.exe 940 171a45c8a1.exe 2816 3f1394bafa.exe 2796 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3016 set thread context of 2568 3016 boob.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe File created C:\Windows\Tasks\skotes.job 3f1394bafa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3012 3016 WerFault.exe 28 836 2568 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 171a45c8a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f1394bafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language boob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language boob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2568 boob.exe 2568 boob.exe 2568 boob.exe 2568 boob.exe 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 2324 axplong.exe 940 171a45c8a1.exe 2816 3f1394bafa.exe 2796 skotes.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 2816 3f1394bafa.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 2568 3016 boob.exe 29 PID 3016 wrote to memory of 3012 3016 boob.exe 30 PID 3016 wrote to memory of 3012 3016 boob.exe 30 PID 3016 wrote to memory of 3012 3016 boob.exe 30 PID 3016 wrote to memory of 3012 3016 boob.exe 30 PID 2568 wrote to memory of 2988 2568 boob.exe 32 PID 2568 wrote to memory of 2988 2568 boob.exe 32 PID 2568 wrote to memory of 2988 2568 boob.exe 32 PID 2568 wrote to memory of 2988 2568 boob.exe 32 PID 2988 wrote to memory of 2324 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 33 PID 2988 wrote to memory of 2324 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 33 PID 2988 wrote to memory of 2324 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 33 PID 2988 wrote to memory of 2324 2988 2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe 33 PID 2324 wrote to memory of 940 2324 axplong.exe 35 PID 2324 wrote to memory of 940 2324 axplong.exe 35 PID 2324 wrote to memory of 940 2324 axplong.exe 35 PID 2324 wrote to memory of 940 2324 axplong.exe 35 PID 2568 wrote to memory of 836 2568 boob.exe 36 PID 2568 wrote to memory of 836 2568 boob.exe 36 PID 2568 wrote to memory of 836 2568 boob.exe 36 PID 2568 wrote to memory of 836 2568 boob.exe 36 PID 2324 wrote to memory of 2816 2324 axplong.exe 37 PID 2324 wrote to memory of 2816 2324 axplong.exe 37 PID 2324 wrote to memory of 2816 2324 axplong.exe 37 PID 2324 wrote to memory of 2816 2324 axplong.exe 37 PID 2816 wrote to memory of 2796 2816 3f1394bafa.exe 38 PID 2816 wrote to memory of 2796 2816 3f1394bafa.exe 38 PID 2816 wrote to memory of 2796 2816 3f1394bafa.exe 38 PID 2816 wrote to memory of 2796 2816 3f1394bafa.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\boob.exe"C:\Users\Admin\AppData\Local\Temp\boob.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\boob.exe"C:\Users\Admin\AppData\Local\Temp\boob.exe"2⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe"C:\Users\Admin\AppData\Local\Temp\2CFCXOXGRZBDX7ZDHS7S3OT5U57ZSJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\1019179001\171a45c8a1.exe"C:\Users\Admin\AppData\Local\Temp\1019179001\171a45c8a1.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\1019180001\3f1394bafa.exe"C:\Users\Admin\AppData\Local\Temp\1019180001\3f1394bafa.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 10363⤵
- Program crash
PID:836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 5202⤵
- Program crash
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD51a70c6518a28576b34f7bb922f91ab3e
SHA14c625618a59a8501d5fd04515cdb5e4482838022
SHA256335d5d02bdc67f2206cc468e5950d5da531e263967517253c39383e74150406c
SHA512f44ee5715bc3f5b399d3c5132927025a5f7234b3461281bde1a236939336314ce2c09997e1d28ae4e847a06df2959fd392dee4e4787a39457d441a3dd1eeb8a2
-
Filesize
2.0MB
MD5a50ffc795fd22e8c07fe5d55e12a6588
SHA195bc28ac151824844d25037709d0a0307f0469c0
SHA256b600b3c6cf798cdb09e29fbccfae675fc58db8b8d068a0638bb123a7e7a3f097
SHA51254ad3830ddd95fa57a3d6bfc567068933fc489c460603b36bde694b00e2740e56cf92888bac50299e3fa8c2de485e1a256f1ff46a4941ca880642fd5ca54396d
-
Filesize
1.8MB
MD55c77f5e02546e40add5b204d7b82f88a
SHA166b4d87b8c34bff83b236b77aff6f1b88449f869
SHA2565052ea7a5720bb5f84512b13f3b3b575a7fc664e3afc915fb4bf60484158e885
SHA512bcd3fb33234ceb5d1332cd690887a101ef6be8373977ff8f1eae3d3452ab024b987bbc53ac4b26135dc021c28a13bfbed955bc76ec8b2092dd74061a07f29199