Analysis
-
max time kernel
294s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
24-06-2024 05:50
General
-
Target
d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe
-
Size
1.8MB
-
MD5
d6c514c703aa1d130ac85dd4bfd9a4c4
-
SHA1
6458716c01788bc169105188f7c0c97dcb041290
-
SHA256
d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202
-
SHA512
549987e06fef44d5a0185914580b0fcf02dfe5237d02bd422c29e36492dc71e204d57b794f4df74afdc3aa854422eec66fc3d4f6a4eb22caaf986b24dbc7ea2a
-
SSDEEP
24576:I2XMSZC8uy6Uz242SVs9VtyZ+H6WDAuyJgFO93WJI6b8UKexOoAokZoKs5JIA5k3:5XKqz2f8duyJhRWJhRAokCXrkYbryJ
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Extracted
redline
AMA
185.215.113.67:40960
Extracted
redline
LiveTraffic
4.185.27.237:13528
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe"C:\Users\Admin\AppData\Local\Temp\d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\1.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 2086⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2604⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000007001\ama.exeFilesize
297KB
MD55d860e52bfa60fec84b6a46661b45246
SHA11259e9f868d0d80ac09aadb9387662347cd4bd68
SHA256b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30
SHA51204ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701
-
C:\Users\Admin\AppData\Local\Temp\1000014001\1.exeFilesize
311KB
MD5d5952230486f57ea55d7fa125118feb0
SHA17e9b064738290ff87219f984944df57eea4618a2
SHA2564b31ffe2581b1c9efc5e30f03064b07ffefa727bf9ea10090dd9b2b8aef0cd2f
SHA5120cda03dc4baf4067aba96105ddb01b39e3d58bc85f4dc1eb555e526546d3b2f3bbf554b950b36dde9686d7fee2eb1898f803691cfc1b26d06be48a68bc1e2e1e
-
C:\Users\Admin\AppData\Local\Temp\1000015001\FirstZ.exeFilesize
1.1MB
MD5936009401446e096589f1458397273f3
SHA1b0c7467f4a7f01b9b3e2cc985b473f98c35e1286
SHA256cd78877485baa8b8ee3b6a69337fe1a1115824d0d145694a4ff3b64abe854810
SHA512f44be5fc228dcf99718cf10d6ea0c6df6a815b5344143ffef804211e5d6efa75a411f3ccb6943adb6f80c37a6a9071a482945d1c935b9ec3879021a5c255d609
-
C:\Users\Admin\AppData\Local\Temp\1000035001\gold.exeFilesize
522KB
MD570a578f7f58456e475facd69469cf20a
SHA183e147e7ba01fa074b2f046b65978f838f7b1e8e
SHA2565c8d556e39269b22e63ba9c941ff306bb043bc35125ba08787617577231b381a
SHA512707ed48b45978d26faaf3544bf22912461503d6e4b1a077cbb7c3a8abd2f1eb3fec16b2786a79ae4db2dfec92f662ece1998bc142706d2b482599fb6191563c0
-
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exeFilesize
415KB
MD507101cac5b9477ba636cd8ca7b9932cb
SHA159ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1
SHA256488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
SHA51202240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887
-
C:\Users\Admin\AppData\Local\Temp\1000092001\legs.exeFilesize
659KB
MD5bbd06263062b2c536b5caacdd5f81b76
SHA1c38352c1c08fb0fa5e67a079998ef30ebc962089
SHA2561875275da8d576fd9962c5b2bd9fe0e4b4d188caad9549125c8a64ecaf9308c9
SHA5127faa4e18cc9d7d82cb8efe8494668e05f75ddd5a8c9c9a058b2246a786a60d7761168862220b70820b02f38f196cfb5f106db36cdcfd5a5a3f9dfd01654eb9ad
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5d6c514c703aa1d130ac85dd4bfd9a4c4
SHA16458716c01788bc169105188f7c0c97dcb041290
SHA256d73e6bc6f30824bfc0655c6072bc8a0a2d77ec8521d36f1a159dba0544725202
SHA512549987e06fef44d5a0185914580b0fcf02dfe5237d02bd422c29e36492dc71e204d57b794f4df74afdc3aa854422eec66fc3d4f6a4eb22caaf986b24dbc7ea2a
-
memory/1108-59-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/1108-60-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/1480-122-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/1536-35-0x0000000005F40000-0x0000000006546000-memory.dmpFilesize
6.0MB
-
memory/1536-33-0x0000000004E80000-0x0000000004F12000-memory.dmpFilesize
584KB
-
memory/1536-56-0x00000000059A0000-0x0000000005A06000-memory.dmpFilesize
408KB
-
memory/1536-36-0x0000000005220000-0x000000000532A000-memory.dmpFilesize
1.0MB
-
memory/1536-37-0x0000000005110000-0x0000000005122000-memory.dmpFilesize
72KB
-
memory/1536-38-0x0000000005130000-0x000000000516E000-memory.dmpFilesize
248KB
-
memory/1536-39-0x0000000005170000-0x00000000051BB000-memory.dmpFilesize
300KB
-
memory/1536-34-0x0000000005010000-0x000000000501A000-memory.dmpFilesize
40KB
-
memory/1536-31-0x00000000005F0000-0x0000000000640000-memory.dmpFilesize
320KB
-
memory/1536-32-0x0000000005430000-0x000000000592E000-memory.dmpFilesize
5.0MB
-
memory/1768-14-0x0000000001340000-0x0000000001810000-memory.dmpFilesize
4.8MB
-
memory/1768-1-0x0000000077E54000-0x0000000077E55000-memory.dmpFilesize
4KB
-
memory/1768-0-0x0000000001340000-0x0000000001810000-memory.dmpFilesize
4.8MB
-
memory/1768-2-0x0000000001341000-0x000000000136F000-memory.dmpFilesize
184KB
-
memory/1768-3-0x0000000001340000-0x0000000001810000-memory.dmpFilesize
4.8MB
-
memory/1768-5-0x0000000001340000-0x0000000001810000-memory.dmpFilesize
4.8MB
-
memory/2116-65-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-149-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-58-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-188-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-61-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-62-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-63-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-64-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-186-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-66-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-67-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-183-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-15-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-72-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-73-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-74-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-75-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-76-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-77-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-171-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-80-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-81-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-82-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-86-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-16-0x00000000009A1000-0x00000000009CF000-memory.dmpFilesize
184KB
-
memory/2116-99-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-116-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-18-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-123-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-129-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-17-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-146-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-147-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-152-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2116-55-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/2920-79-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/3276-53-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3744-168-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/3780-148-0x0000000000400000-0x000000000273B000-memory.dmpFilesize
35.2MB
-
memory/4224-71-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/4224-69-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/4388-155-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/4388-170-0x00000000009A0000-0x0000000000E70000-memory.dmpFilesize
4.8MB
-
memory/4396-52-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/4396-54-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB