Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

random.exe

windows10-ltsc 2021-x64

10

random.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-es
  • resource tags

    arch:x64arch:x86image:win11-20250210-eslocale:es-esos:windows11-21h2-x64systemwindows
  • submitted
    15/02/2025, 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    1.8MB

  • MD5

    bc3b0fcb68c9a3e6ce6ee8b3b9c258f6

  • SHA1

    edde275eb12f3e35413bf5872034ed7fe318ee68

  • SHA256

    c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8

  • SHA512

    7f1b24935b2e0746aa57ce2bc2208b7756556de44e759073539e434fcaa859a1be62ea554999468bba9948de54038f7ee389ff80effcd2ba4e2d238cc86e4d83

  • SSDEEP

    49152:y3OcrT0HpwEszQyM6w1muKtmMSb65a2wz3pcM:K4GJzbM6qmuKtjSb65ybV

Score
10/10
amadeystealcfed3aarenodefense_evasiondiscoverypersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    defense_evasion
  • Downloads MZ/PE file 2 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:236
      • C:\Users\Admin\AppData\Local\Temp\1020772001\ed8882aa7b.exe
        "C:\Users\Admin\AppData\Local\Temp\1020772001\ed8882aa7b.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2384
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4892
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDk5NkYzQTYtQTJGNC00MDM0LUI3Q0EtMkJCOENEMTdGM0IyfSIgdXNlcmlkPSJ7MUJDMEZFNDAtMzFBMy00MkI3LUIzNzYtMkZGRjZCNzE5RTA3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkM0QkE3MUEtQjZDNi00NEIwLThBNzctQzhGNjA0NEUwNjlEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjUiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyNTAxMDkzODEiLz48L2FwcD48L3JlcXVlc3Q-
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2004
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4220
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
    Filesize

    266KB

    MD5

    c77751a0625f6ba33e3f52261272abcb

    SHA1

    0856d2e7c47ba208da34592838271a9fe50a2cc1

    SHA256

    bf6f610b726faac12c27a34d22cd89400bbb6fb4784386d8408bd25f70a7554d

    SHA512

    fd77187a97695de1af1754844f8ca47198ff4203260c2c88a65530e5912e9fd8f038eb3afdb4f6dd291d8311e44d465d75bf849241870d334499528157064d82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1020772001\ed8882aa7b.exe
    Filesize

    1.7MB

    MD5

    be387fa24001fc6815aaa56fd034e158

    SHA1

    ea2116971dc1c9e20250d6e895a467033d3b66cc

    SHA256

    97a0714c97ef7d24d3e6724c9101e4fa035159eab3dd194b4b8f2c3fe927ced3

    SHA512

    8f7ce5bd72a87b7147c65a341b0f6902d68af49b1400bd6a42bcbe2b90719da218a5568eac26ca24e9f6c045ab784a446cd9e81bcf3d8ea212f96c7b9422f1da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    Filesize

    1.8MB

    MD5

    bc3b0fcb68c9a3e6ce6ee8b3b9c258f6

    SHA1

    edde275eb12f3e35413bf5872034ed7fe318ee68

    SHA256

    c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8

    SHA512

    7f1b24935b2e0746aa57ce2bc2208b7756556de44e759073539e434fcaa859a1be62ea554999468bba9948de54038f7ee389ff80effcd2ba4e2d238cc86e4d83

    Download Submit

  • memory/128-88-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-39-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-84-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-15-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-107-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-19-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-20-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-22-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-21-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-106-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-85-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-83-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-36-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-37-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-38-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-82-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-45-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-81-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-54-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-76-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-77-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/236-80-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1948-3-0x0000000000540000-0x00000000009FF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1948-0-0x0000000000540000-0x00000000009FF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1948-5-0x0000000000540000-0x00000000009FF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1948-2-0x0000000000541000-0x000000000056F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1948-1-0x0000000077AF6000-0x0000000077AF8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-18-0x0000000000540000-0x00000000009FF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2384-104-0x0000000000E60000-0x00000000014DC000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2384-105-0x0000000000E60000-0x00000000014DC000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4220-79-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4892-29-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4892-27-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4892-24-0x00000000003E0000-0x000000000089F000-memory.dmp

    Filesize

    4.7MB

    Download