Overview

overview

10

Static

static

3

dc2de079a3...cc.exe

windows7-x64

10

dc2de079a3...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-02-2025 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc2de079a3e74f9f9fd66d35cc43a3a647e7e9fb1c61ada0b092e567408739cc.exe

  • Size

    1.8MB

  • MD5

    87e2bacbb2b97bd750d716c18da5b3a0

  • SHA1

    7c40fd0b7a3bd6c59a605cb6d9f20e2e19c212af

  • SHA256

    dc2de079a3e74f9f9fd66d35cc43a3a647e7e9fb1c61ada0b092e567408739cc

  • SHA512

    b386fbe63e72977d769382e3ab112bdeda9a1b9e8480cafeb325795bee186af63085e66b059386cbb4f3e1f5f1b06a6806b6b6a8d3312be9d1754faca597794a

  • SSDEEP

    49152:BMs7fUicQ3xMVwIpIhUI7Bspj68AQqypRo53y:u6Uir36fpIpgA/y

Score
10/10
amadeystealcfed3aarenodefense_evasiondiscoverypersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Downloads MZ/PE file 2 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc2de079a3e74f9f9fd66d35cc43a3a647e7e9fb1c61ada0b092e567408739cc.exe
    "C:\Users\Admin\AppData\Local\Temp\dc2de079a3e74f9f9fd66d35cc43a3a647e7e9fb1c61ada0b092e567408739cc.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Users\Admin\AppData\Local\Temp\1021144001\c476dce7fc.exe
        "C:\Users\Admin\AppData\Local\Temp\1021144001\c476dce7fc.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:584
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:764
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTgyQUREODQtRUVCRC00NzlCLTk1REUtOTJFMENBOTgzRUFBfSIgdXNlcmlkPSJ7MjI5NTI1NDItRDk0MS00QTAwLUJFMEEtN0FEMzNEQTIzOUQxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NUE5NEI0MEEtMDhBMi00NTg5LUI5OTgtQjBENTA5NzgxMUZFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzk1ODg5MjA1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4028
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1001527001\alex11111111.exe
    Filesize

    266KB

    MD5

    6c11fb107c2b8eb2b8bebe5873598370

    SHA1

    f0ead612d2f56079f8db5c4234262f29df242620

    SHA256

    458f9fe9e57eca5409fb9e7b92e8b84eb737fa26ba21488ad47056e800953272

    SHA512

    057ee5b24acf46f67c35a91876a125759469210feee0920e38fa52a600b129a7f8721a6dbf8d3b3ef0f244fee6d51e2aa0af03bd68e22e0e98d1c6b2a603d9ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1021144001\c476dce7fc.exe
    Filesize

    1.7MB

    MD5

    44ff768becec4b5f5b64b123f180294e

    SHA1

    dc18911075f82f6277635762e6236507cecddd0c

    SHA256

    950d79f3a80f4b98510bc8de408d441df98aa05feee197c8e42333e261dc21f1

    SHA512

    36fc08855ae8b352908345a06f17793617e000ce1e6ca7b3884ff8b304c5cd92494fb8eb0a9e952729877831d5c86912fe5b44e2787942a0c20555bbd417f08f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1021145001\f5b3f25ebe.exe
    Filesize

    976KB

    MD5

    4499ad33be05e9296d7c166865415ecf

    SHA1

    68c05d4781824fffcf20c32d8ea04c937fc790fa

    SHA256

    478bbac46cf75c1137d50b142b6c4f2dba9c6a17a333f1da1dd8f9b19deabed3

    SHA512

    d5337728c922f414f9d398f93db37fe3dc0e91d8f7921fb3806d4b07bcf99e27ce413dd4b5497d358f364c14c68d478a9e5651db35a1e3babb1c03acab872b7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    Filesize

    1.8MB

    MD5

    87e2bacbb2b97bd750d716c18da5b3a0

    SHA1

    7c40fd0b7a3bd6c59a605cb6d9f20e2e19c212af

    SHA256

    dc2de079a3e74f9f9fd66d35cc43a3a647e7e9fb1c61ada0b092e567408739cc

    SHA512

    b386fbe63e72977d769382e3ab112bdeda9a1b9e8480cafeb325795bee186af63085e66b059386cbb4f3e1f5f1b06a6806b6b6a8d3312be9d1754faca597794a

    Download Submit

  • memory/584-111-0x0000000000810000-0x0000000000EA9000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/584-110-0x0000000000810000-0x0000000000EA9000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/764-25-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/764-27-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/764-24-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/764-23-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2876-94-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2876-93-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3712-5-0x0000000000B50000-0x000000000100F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3712-2-0x0000000000B51000-0x0000000000B7F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3712-3-0x0000000000B50000-0x000000000100F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3712-1-0x00000000779D4000-0x00000000779D6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3712-0-0x0000000000B50000-0x000000000100F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3712-17-0x0000000000B50000-0x000000000100F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-89-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-29-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-86-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-87-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-88-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-21-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-91-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-20-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-54-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-116-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-18-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-28-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-112-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-113-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-114-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-115-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-39-0x0000000000430000-0x00000000008EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4480-19-0x0000000000431000-0x000000000045F000-memory.dmp

    Filesize

    184KB

    Download