Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/02/2025, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe
Resource
win10v2004-20250207-en
General
-
Target
5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe
-
Size
1.8MB
-
MD5
b1447ca027b813486bbd9bb290cfbd0d
-
SHA1
e772fac1228583d6d9e7b853ba4b3d6cf606dfa8
-
SHA256
5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9
-
SHA512
bb91fbd271ac6e3655ad538c41af6c3089787ae23c750ac0106f2a2481835e3b0691056258438d139ee70cbf6169d0ca42948683fe0bf5b03b10c73cbd34bd5f
-
SSDEEP
49152:JxMsunbmOnBAd1H6ddyXwhHIBVm7FvzvEO1wxM:KneaddcWztzvEOV
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
reno
http://185.215.113.115
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Gcleaner family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c9551daf33.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 151a9297df.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1efe7c3f4a.exe -
Downloads MZ/PE file 4 IoCs
flow pid Process 3 2724 axplong.exe 3 2724 axplong.exe 7 2724 axplong.exe 10 1208 skotes.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c9551daf33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c9551daf33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 151a9297df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1efe7c3f4a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 151a9297df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1efe7c3f4a.exe -
Executes dropped EXE 6 IoCs
pid Process 2724 axplong.exe 1416 c9551daf33.exe 1660 151a9297df.exe 1208 skotes.exe 2580 BwStzYG.exe 1716 1efe7c3f4a.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 151a9297df.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 1efe7c3f4a.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine c9551daf33.exe -
Loads dropped DLL 11 IoCs
pid Process 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 2724 axplong.exe 2724 axplong.exe 2724 axplong.exe 2724 axplong.exe 1660 151a9297df.exe 1660 151a9297df.exe 1208 skotes.exe 1208 skotes.exe 2724 axplong.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\c9551daf33.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019912001\\c9551daf33.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\151a9297df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019913001\\151a9297df.exe" axplong.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 2724 axplong.exe 1416 c9551daf33.exe 1660 151a9297df.exe 1208 skotes.exe 1716 1efe7c3f4a.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 1896 1716 1efe7c3f4a.exe 40 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe File created C:\Windows\Tasks\skotes.job 151a9297df.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1efe7c3f4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9551daf33.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 151a9297df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 2724 axplong.exe 1416 c9551daf33.exe 1660 151a9297df.exe 1208 skotes.exe 1716 1efe7c3f4a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1716 1efe7c3f4a.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 1660 151a9297df.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2724 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 30 PID 2412 wrote to memory of 2724 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 30 PID 2412 wrote to memory of 2724 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 30 PID 2412 wrote to memory of 2724 2412 5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe 30 PID 2724 wrote to memory of 1416 2724 axplong.exe 32 PID 2724 wrote to memory of 1416 2724 axplong.exe 32 PID 2724 wrote to memory of 1416 2724 axplong.exe 32 PID 2724 wrote to memory of 1416 2724 axplong.exe 32 PID 2724 wrote to memory of 1660 2724 axplong.exe 34 PID 2724 wrote to memory of 1660 2724 axplong.exe 34 PID 2724 wrote to memory of 1660 2724 axplong.exe 34 PID 2724 wrote to memory of 1660 2724 axplong.exe 34 PID 1660 wrote to memory of 1208 1660 151a9297df.exe 35 PID 1660 wrote to memory of 1208 1660 151a9297df.exe 35 PID 1660 wrote to memory of 1208 1660 151a9297df.exe 35 PID 1660 wrote to memory of 1208 1660 151a9297df.exe 35 PID 1208 wrote to memory of 2580 1208 skotes.exe 38 PID 1208 wrote to memory of 2580 1208 skotes.exe 38 PID 1208 wrote to memory of 2580 1208 skotes.exe 38 PID 1208 wrote to memory of 2580 1208 skotes.exe 38 PID 2724 wrote to memory of 1716 2724 axplong.exe 39 PID 2724 wrote to memory of 1716 2724 axplong.exe 39 PID 2724 wrote to memory of 1716 2724 axplong.exe 39 PID 2724 wrote to memory of 1716 2724 axplong.exe 39 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40 PID 1716 wrote to memory of 1896 1716 1efe7c3f4a.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe"C:\Users\Admin\AppData\Local\Temp\5b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\1019912001\c9551daf33.exe"C:\Users\Admin\AppData\Local\Temp\1019912001\c9551daf33.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\1019913001\151a9297df.exe"C:\Users\Admin\AppData\Local\Temp\1019913001\151a9297df.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe"C:\Users\Admin\AppData\Local\Temp\1075597001\BwStzYG.exe"5⤵
- Executes dropped EXE
PID:2580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1019914001\1efe7c3f4a.exe"C:\Users\Admin\AppData\Local\Temp\1019914001\1efe7c3f4a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵PID:1896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5ffe913df5ffe48d6e73f144bb3b730e9
SHA1259da8a5b27c1d32f345936873213e7a7edd08bc
SHA2562165984f24da970fd8c1f200ac75471d151cae8409cb20787d2e98e9fc4e102c
SHA5123aa41d0357c561dba73f90f68912f1e1ad4fc65530307f14e6ed3b7ec502977db06aeb8b8095aae2865cba43cf78c87d36c21e218d01131206754fd72b3c5a26
-
Filesize
2.0MB
MD5852a4f9bc29a3959aca962d5213c4868
SHA14e92397a31a828a2888922ba562c747a4e835adf
SHA25683e6fed97dce98d0c251582de36aedc7ec0c092bcec9b53e42768766135fdbb7
SHA5123a9dd4f3a378bb4ba028abf9782c85cef5dc765530d5fe6b93cd0a296e1558cdaa7d79a8357229e856afed99f6b5981a5b1791ed4ff772d82ccf6921de781801
-
Filesize
4.2MB
MD5580d01da779f9d2c14ffa548ea4da16e
SHA1331444c3b7b6e6bbcedf7f5728ffd08771e968eb
SHA256331135350bbc1edcbc92cb10aa3d285ea0df48fda73d9838c1a6e9947485dd93
SHA51282e3b358e14cecf3a2a3054a6c8f6903560cc697111774f6b1390dfa591942037d32572f90c549e69b4da4c3a05c1e2527e298ec37c6e4b0f31cc1f278a6f43b
-
Filesize
657KB
MD5bdc51a1e2b603e81cf981830d035e042
SHA1dac044f8a311e09f2db699c0a59f59664065f93c
SHA25660d9571eb53e31b25680d7008a4a7f09e55a93b4543d5e34ee4038eb960c3146
SHA5121017f1a9c66543a62baeaca698d2dff9d655943a0e7f15d8e887f0c22192d32601225c02b74667b9b12ec43add953a0f4e0de20088bd8ae3e157ef15113e0cd6
-
Filesize
1.8MB
MD5b1447ca027b813486bbd9bb290cfbd0d
SHA1e772fac1228583d6d9e7b853ba4b3d6cf606dfa8
SHA2565b24f29aab708907f8acbe4d16873a0116533029b81f0c1f9a5fad5b3a54a2d9
SHA512bb91fbd271ac6e3655ad538c41af6c3089787ae23c750ac0106f2a2481835e3b0691056258438d139ee70cbf6169d0ca42948683fe0bf5b03b10c73cbd34bd5f