Overview

overview

10

Static

static

3

0c7c79b06e...83.exe

windows10-2004-x64

0c7c79b06e...83.exe

windows10-ltsc_2021-x64

10

Resubmissions

03/04/2025, 00:48

250403-a5yalawvdy 10

03/04/2025, 00:45

250403-a4gw8aypt8 10

21/02/2025, 13:19

250221-qkqm1sskh1 10

21/02/2025, 12:51

250221-p3vt1ssmek 10

20/02/2025, 14:07

250220-rey8mswqdj 10

Analysis

  • max time kernel
    30s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 00:48

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe

  • Size

    2.1MB

  • MD5

    f22b0344fefdf201d07314323a83b022

  • SHA1

    6dde721e943cb298e50446083c1d7260071aaaae

  • SHA256

    0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

  • SHA512

    61f92704af7395159edb879fe394a64e30b0b0818d642be1eeecafeee54e22570add0e4eac88c83e00cd9a4642e09a8529c77a69b4b7613bc3bcb9f78f50feac

  • SSDEEP

    49152:vDB/YpemdpJhhEwrtke2DSl/YKH7vOITWMPnzZPoc9j:9/kXhEikRDS/bvOIbPnzZxj

Score
10/10
amadeylumma0921559c9aa5defense_evasiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://rlxspoty.run/nogoaz

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://9-xrfxcaseq.live/gspaz

https://ywmedici.top/noagis

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Downloads MZ/PE file 3 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
    "C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Users\Admin\AppData\Local\Temp\1092840001\2c0a4a442d.exe
        "C:\Users\Admin\AppData\Local\Temp\1092840001\2c0a4a442d.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4316
      • C:\Users\Admin\AppData\Local\Temp\1095381001\fdd07a8263.exe
        "C:\Users\Admin\AppData\Local\Temp\1095381001\fdd07a8263.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:704
      • C:\Users\Admin\AppData\Local\Temp\1095382001\c617eeb8e3.exe
        "C:\Users\Admin\AppData\Local\Temp\1095382001\c617eeb8e3.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        PID:3972
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2400
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3918855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1092840001\2c0a4a442d.exe
    Filesize

    1.8MB

    MD5

    44924eb507fa8a299ae3709ae6fdcb28

    SHA1

    2ea854b611f226eec0a9353d7c4e59be96bc822d

    SHA256

    612d802bb15929c943b625d61193f894b4c7a327c06b92815ff7864ce6c8906c

    SHA512

    d0d9496dc6df963ff50a570c6e153d6b1fa45c40437457d35dd9247f47a781e36e26ff772b6ce9ef68d3047ff4901c05a185ebfffc2825bb155dfcc9e4e88fc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1095381001\fdd07a8263.exe
    Filesize

    2.0MB

    MD5

    9844b1dcbcb24c0f8630e89472477655

    SHA1

    5fe2dce6e0356214ce312f6d3df4e34f50ef0c84

    SHA256

    435a49ea77b05e5d2199720d7d9754604d529d1c24f5078bac3e3fe66882327f

    SHA512

    8050e16334249f2216932865341955dfd9d9c057343bfbb88232a7e2762aaf9fe53b76efe523df3fbcca14aac30d132c1f2325db1894f1d3e7b0872f07fcd868

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1095382001\c617eeb8e3.exe
    Filesize

    2.4MB

    MD5

    fa256b5040a684cb0b12f87ac804be7e

    SHA1

    e567e362f403a241deefe14941845bc2b138e239

    SHA256

    99f521cbb824caacc94f70e024828c73b5269dbadd678103ba90163bed028373

    SHA512

    f3530b09a41a0362c881202234772eb3443ae564595bb6f4166cfafb39aa554b1b64b8aeead1314645b86fd75ae9548301d1cde6d16d6295cb291ee20ed530e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    Filesize

    2.1MB

    MD5

    f22b0344fefdf201d07314323a83b022

    SHA1

    6dde721e943cb298e50446083c1d7260071aaaae

    SHA256

    0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

    SHA512

    61f92704af7395159edb879fe394a64e30b0b0818d642be1eeecafeee54e22570add0e4eac88c83e00cd9a4642e09a8529c77a69b4b7613bc3bcb9f78f50feac

    Download Submit

  • memory/704-62-0x0000000000820000-0x0000000000CC5000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/704-61-0x0000000000820000-0x0000000000CC5000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2060-19-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-44-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-86-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-20-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-21-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-22-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-84-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-39-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-59-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2060-43-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2400-83-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2400-81-0x0000000000900000-0x0000000000DD6000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3396-18-0x0000000000BB1000-0x0000000000C19000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3396-5-0x0000000000BB0000-0x0000000001086000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3396-3-0x0000000000BB0000-0x0000000001086000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3396-2-0x0000000000BB1000-0x0000000000C19000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3396-1-0x0000000076F94000-0x0000000076F96000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3396-0-0x0000000000BB0000-0x0000000001086000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3396-17-0x0000000000BB0000-0x0000000001086000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3972-78-0x00007FF7A2560000-0x00007FF7A2BD5000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3972-79-0x00007FF7A2560000-0x00007FF7A2BD5000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4316-42-0x00000000008A0000-0x0000000000D5C000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4316-40-0x00000000008A0000-0x0000000000D5C000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4316-38-0x00000000008A0000-0x0000000000D5C000-memory.dmp

    Filesize

    4.7MB

    Download