Overview

overview

10

Static

static

3

e4ebfe05d5...11.exe

windows7-x64

10

e4ebfe05d5...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2025 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe

  • Size

    1.9MB

  • MD5

    d1c4ee6a5e25dfdc0d2d2c9299af123e

  • SHA1

    1415ecd3d0190709a53b76428b72e195e1633bd3

  • SHA256

    e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211

  • SHA512

    ea0b9f5a9275f15e68a6f5f92fd92b1939f948b486da00d41f391937319d622f423053591f311ff4145da9d26cfef3eaaf790e82b3f2b46b7004853bfa8be24a

  • SSDEEP

    24576:J7PYlhBjkG7uzwoZ5+J1R7+u0gBdHT3LHulBbZi37tqHrqDz/poNgNeggahXGG1N:UoARq+BRurcRqLqfhAgNegg8+zDxZCh

Score
10/10
amadeystealcfed3aarenodefense_evasiondiscoverypersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    defense_evasion
  • Downloads MZ/PE file 3 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe
    "C:\Users\Admin\AppData\Local\Temp\e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Local\Temp\1020044001\ace3c9b8f5.exe
        "C:\Users\Admin\AppData\Local\Temp\1020044001\ace3c9b8f5.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1960
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjhGNzVBQUEtMEQ1RC00OTc4LTgwRUMtMTc0QTJFNEM3QzgzfSIgdXNlcmlkPSJ7MDUyMjNCMTAtRDhGQS00NDk4LUJGMjgtNUY1OUEzNUE4N0ZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUU2RjE1NEItQjc3OS00MDA4LUIwQkEtNjhCMDQ4OUVDMDNGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzM2MjQyMDM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:316
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1001527001\alex11111111.exe
    Filesize

    266KB

    MD5

    3121b74adfd59a89073a3f0e7e28711e

    SHA1

    08f17e6bb1a81ffb4f522c87f54773698ec2e315

    SHA256

    b1d9d4702f6a2cd52ab541e8ca2e090683755b80f6eb40703655460a9fcff51d

    SHA512

    22adfabf81a3735fb7c5bd9ce0a41c4fcde63b91e422a64c8b6092449d0a3f989d9bb072c506ec9e49af5338941ecd9abd64175c14bb2afa6284376e07fb2dd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1020044001\ace3c9b8f5.exe
    Filesize

    1.7MB

    MD5

    38327ebdd998d57c90036b85c94ea6ed

    SHA1

    7d738868b6dd3f221c422bc1bdef62c81af799f9

    SHA256

    ef90c3ca51a3870aa4d75b30b20149e8a532896b54698ae46e587fbc96c437a3

    SHA512

    a0a2791dc9a8041ded8e0f9c25f2d642b404aa4d21656fdca3aa33199d8653d5478d25c0298624b604f50b8c4e5091cef36cc0b03ccb1b43bd5a1b53a68d2b85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1020045001\f862ce2555.exe
    Filesize

    1.7MB

    MD5

    3aa16d872c3d7ecbead8a387c2e0bef8

    SHA1

    4224596c23c5934db75147f52ea3b395f55c91b1

    SHA256

    071149d9b5559ddc11f74117d7a1c5568c72081fc3354373562bcdad8f48b59e

    SHA512

    a4e66796e12362bf56b18845bdb7198f9278fb8c3b18736b2bf53ed6556058f6cec4520294dc41b30fd2999a58e2eb825f5a34e5b9e0ae4cb0ee77ca6f024f73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    Filesize

    1.9MB

    MD5

    d1c4ee6a5e25dfdc0d2d2c9299af123e

    SHA1

    1415ecd3d0190709a53b76428b72e195e1633bd3

    SHA256

    e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211

    SHA512

    ea0b9f5a9275f15e68a6f5f92fd92b1939f948b486da00d41f391937319d622f423053591f311ff4145da9d26cfef3eaaf790e82b3f2b46b7004853bfa8be24a

    Download Submit

  • memory/404-15-0x0000000000110000-0x00000000005EC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/404-5-0x0000000000110000-0x00000000005EC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/404-0-0x0000000000110000-0x00000000005EC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/404-3-0x0000000000110000-0x00000000005EC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/404-2-0x0000000000111000-0x000000000013F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/404-1-0x0000000077A14000-0x0000000077A16000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1960-102-0x0000000000020000-0x00000000006AD000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1960-100-0x0000000000020000-0x00000000006AD000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3196-108-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3196-107-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-49-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-103-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-48-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-65-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-83-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-84-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-33-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-20-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-21-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-50-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-104-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-19-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-18-0x0000000000C81000-0x0000000000CAF000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3652-109-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-110-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-111-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-112-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-113-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-114-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3652-17-0x0000000000C80000-0x000000000115C000-memory.dmp

    Filesize

    4.9MB

    Download