Analysis

  • max time kernel
    150s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 07:07

General

  • Target

    2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe

  • Size

    7.0MB

  • MD5

    e401a72a05ca2768dece12eb9f901cd4

  • SHA1

    6820c628ab059ae5d6e14b699d291d00bb3c3536

  • SHA256

    bca462cb28356dd4319a25e4680159433f6c3ba373bbd783b6f84163139f9dce

  • SHA512

    d76425266de993463f04b7797a46a81aa2c4f1ae9a2fbfeebd38393bdb8c0829856116421f32d6c7fcdd391d8dbc4bfe61286141ddf0c64d33bafedc4215df8e

  • SSDEEP

    98304:xYOXwnS4rVjx1LVt0Q7+Cga0Kt14vgvK0pR7Xn4TiRCvJ7:mIG1Jjj14YF7XnKPZ

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3316
      • C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4676
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5784
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5800
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1340

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe

            Filesize

            7.1MB

            MD5

            dd4280eb9a13273acecbf9bae0c53585

            SHA1

            c9554baa90be855b13a0ff3b08096dc83df62b48

            SHA256

            e999d6e8049b275419c8db69370fb8d11a8db46237eb05df7dac8300c342f1cc

            SHA512

            e5c4a9f21c4cad40f94688d9435c5f24a200d7b7315f1614d9cc62a582d0fee7291af0c5286939c8c991149dbe93911ceee746b3cc6caa3533a6c2ca61932779

          • C:\Program Files\dotnet\dotnet.exe

            Filesize

            7.2MB

            MD5

            a12ba6f7507a071274cb9fc364361560

            SHA1

            be5b08de6ec26bc03f7debdb4127b699554fb4e7

            SHA256

            3291ea85fa82fcfb1184c9cd34fa266b1a7b607c1878d895aec61f3905beae86

            SHA512

            a7498997f1291521fa2880e53ddf44636d9ca1840a7c00694b2c2697d5fdcbc11d3e540e581a05fe27610424f2e171247fb69b9baf649a2491b74fbf3567b0c1

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

            Filesize

            7.5MB

            MD5

            1cc19e4fda96278b8a120bdb3fa9e5ec

            SHA1

            97f2d293b63e2f22012f7c037c2be7a6e68f9b3a

            SHA256

            b6ff4f2c3d33ad69e9bb1ebb28568522cc1035418dc7dde10a476e69aeda24aa

            SHA512

            3a41da10f1780572945bf32f25a4482a019ebe0372c70c0755df7797be9ebfe53e1f7270595746525e293ce97919027456f020be7089ece0a2fed463c1dfdfe6

          • F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\_desktop.ini

            Filesize

            8B

            MD5

            24c49e895be062b0bc063b7f1d713545

            SHA1

            096a87b1f8369fb3a4c4fc8323606dad58b8e790

            SHA256

            c18ba10163eca907f0f0957d320e3f831cdfaf81758c3a3a7aef62236d4d3f2f

            SHA512

            ae5d7fd55ea8caaea714d7baf66fe7c074e5d12d81bb10a774965ed23fd4d1dae5d2820c811bcbc5c84eab6aa7a2d6b8e81aef19875d87f62910c7387ec24f36

          • memory/2492-0-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2492-3-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB