Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 17:35
General
-
Target
b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42.exe
-
Size
207KB
-
MD5
d825c2090b9e3a5f48a9b8975b2729b4
-
SHA1
1f7ba5e361ff8010c763d0e8c800ba20d1c6973e
-
SHA256
b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42
-
SHA512
b0c53da2d766c7ff133f338c0ca0007afb13650c1bb123904d9a5b6917ece180514eced0a4531b00efda213797ef2d852ac65d06dc850da9bdcdde67aec0f873
-
SSDEEP
3072:mOBIkUSaJypm5qevh5zOCCD+N/m3FRVbKnim05FPDzBA/6trjWUZ1Pz:zIkyJy6mP+eqnNy9rjB5
Malware Config
Extracted
amadey
3.50
193.56.146.194/h49vlBP/index.php
Extracted
laplas
clipper.guru
-
api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 2 IoCs
-
Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42.exe"C:\Users\Admin\AppData\Local\Temp\b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe"C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 12724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn jicTFBavsm /tr C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn jicTFBavsm /tr C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 12162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1504 -ip 15041⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2316 -ip 23161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4332 -ip 43321⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 4162⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exeC:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2568 -ip 25681⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exeFilesize
278KB
MD5ce9580dd23608f001846990280651568
SHA169ec3d27d1f287a54980c87798a696f9907558cc
SHA2562a89f391b53ed6f4ff5c29efee712d7f56fe531e04db633df67d0d5d28907609
SHA512508f4ceed49d8e9335cbf05386b2efa7df51edc29247bf7dfb2410332e2da4367daa665fd0abf7d7d929c1924ed641b517bbecc6f0eb10aca578dc000ed99f06
-
C:\Users\Admin\AppData\Local\Temp\1000146001\anon.exeFilesize
278KB
MD5ce9580dd23608f001846990280651568
SHA169ec3d27d1f287a54980c87798a696f9907558cc
SHA2562a89f391b53ed6f4ff5c29efee712d7f56fe531e04db633df67d0d5d28907609
SHA512508f4ceed49d8e9335cbf05386b2efa7df51edc29247bf7dfb2410332e2da4367daa665fd0abf7d7d929c1924ed641b517bbecc6f0eb10aca578dc000ed99f06
-
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exeFilesize
2.2MB
MD5af869295fc4dae186c82afcaecda6a6b
SHA17f98f7fb6154c544438134307c49fae846c80eb4
SHA25611f2765287664a10a83b56cec5f2c1bf34ff7a7e1721458950d4976d54b21414
SHA5126ec690690df3918d37c74df3b2460716a2d29fc840098a477ce3466e533889aba442df4d6083f3e4cc29556742a1a10a2b43e9efa5c55ffe02999d560986cb1b
-
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exeFilesize
2.2MB
MD5af869295fc4dae186c82afcaecda6a6b
SHA17f98f7fb6154c544438134307c49fae846c80eb4
SHA25611f2765287664a10a83b56cec5f2c1bf34ff7a7e1721458950d4976d54b21414
SHA5126ec690690df3918d37c74df3b2460716a2d29fc840098a477ce3466e533889aba442df4d6083f3e4cc29556742a1a10a2b43e9efa5c55ffe02999d560986cb1b
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
207KB
MD5d825c2090b9e3a5f48a9b8975b2729b4
SHA11f7ba5e361ff8010c763d0e8c800ba20d1c6973e
SHA256b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42
SHA512b0c53da2d766c7ff133f338c0ca0007afb13650c1bb123904d9a5b6917ece180514eced0a4531b00efda213797ef2d852ac65d06dc850da9bdcdde67aec0f873
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
207KB
MD5d825c2090b9e3a5f48a9b8975b2729b4
SHA11f7ba5e361ff8010c763d0e8c800ba20d1c6973e
SHA256b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42
SHA512b0c53da2d766c7ff133f338c0ca0007afb13650c1bb123904d9a5b6917ece180514eced0a4531b00efda213797ef2d852ac65d06dc850da9bdcdde67aec0f873
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
207KB
MD5d825c2090b9e3a5f48a9b8975b2729b4
SHA11f7ba5e361ff8010c763d0e8c800ba20d1c6973e
SHA256b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42
SHA512b0c53da2d766c7ff133f338c0ca0007afb13650c1bb123904d9a5b6917ece180514eced0a4531b00efda213797ef2d852ac65d06dc850da9bdcdde67aec0f873
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
207KB
MD5d825c2090b9e3a5f48a9b8975b2729b4
SHA11f7ba5e361ff8010c763d0e8c800ba20d1c6973e
SHA256b16f2a81af5a3a8ad4568eb2e666bcf882b9dc3277765b35d0cd25729ad6bc42
SHA512b0c53da2d766c7ff133f338c0ca0007afb13650c1bb123904d9a5b6917ece180514eced0a4531b00efda213797ef2d852ac65d06dc850da9bdcdde67aec0f873
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exeFilesize
306.3MB
MD5a6128debde07ec360a02b134e1b4cfb0
SHA11c2d81587d339be8fe08dd892fc9d5e8c10a72f6
SHA2563ad9b46e2acd93919d90963e0a782261489028cf23db776740927c98b3d95142
SHA51209696617346d58bccd39cbb026b6480d523430d68f272249c7b462ff5f04ad45ca24abc787fe9f27299c4ce970d2e14a4f0122aab4a9af0531b2fdde5ae3081f
-
C:\Users\Admin\AppData\Roaming\jicTFBavsm\PNcznLwIMl.exeFilesize
302.7MB
MD57260989da41e198a4e72af796b21465f
SHA189b9efb41816a98c603904b3d0c29bf3b3c2381f
SHA256944c6c2ca6969636d30ddae4e64a3b4c47429f6d093c7c7cd6052fd780eb802a
SHA512e5d04e487b568a5e6462fe40cb65f30e4a2b3c3b60e753ae03b1636b6da5307615673bf7cb21bf6819441e89668222126341943fc51041c0789d029cb71bb840
-
memory/636-185-0x00000000029D0000-0x0000000002BEF000-memory.dmpFilesize
2.1MB
-
memory/636-186-0x0000000000400000-0x0000000000CE5000-memory.dmpFilesize
8.9MB
-
memory/1232-141-0x0000000000000000-mapping.dmp
-
memory/1504-136-0x0000000002840000-0x000000000287E000-memory.dmpFilesize
248KB
-
memory/1504-134-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1504-133-0x0000000002840000-0x000000000287E000-memory.dmpFilesize
248KB
-
memory/1504-132-0x0000000000CB8000-0x0000000000CD7000-memory.dmpFilesize
124KB
-
memory/1504-135-0x0000000000CB8000-0x0000000000CD7000-memory.dmpFilesize
124KB
-
memory/1504-147-0x0000000000CB8000-0x0000000000CD7000-memory.dmpFilesize
124KB
-
memory/1504-140-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1880-154-0x0000000000CD8000-0x0000000000CF7000-memory.dmpFilesize
124KB
-
memory/1880-155-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1880-137-0x0000000000000000-mapping.dmp
-
memory/1880-143-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/1880-142-0x0000000000CD8000-0x0000000000CF7000-memory.dmpFilesize
124KB
-
memory/2120-164-0x0000000000000000-mapping.dmp
-
memory/2316-167-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/2316-166-0x0000000000CAB000-0x0000000000CCA000-memory.dmpFilesize
124KB
-
memory/2568-183-0x0000000000D6C000-0x0000000000D8B000-memory.dmpFilesize
124KB
-
memory/2568-184-0x0000000000400000-0x0000000000AE6000-memory.dmpFilesize
6.9MB
-
memory/3076-159-0x0000000002BE0000-0x0000000003079000-memory.dmpFilesize
4.6MB
-
memory/3076-160-0x0000000000400000-0x0000000000CE5000-memory.dmpFilesize
8.9MB
-
memory/3076-151-0x0000000000000000-mapping.dmp
-
memory/3076-168-0x0000000000400000-0x0000000000CE5000-memory.dmpFilesize
8.9MB
-
memory/3076-158-0x00000000029BE000-0x0000000002BDD000-memory.dmpFilesize
2.1MB
-
memory/3508-163-0x0000000000000000-mapping.dmp
-
memory/4332-170-0x0000000005A90000-0x0000000005AA2000-memory.dmpFilesize
72KB
-
memory/4332-179-0x0000000000400000-0x0000000000AF8000-memory.dmpFilesize
7.0MB
-
memory/4332-172-0x0000000006650000-0x00000000066B6000-memory.dmpFilesize
408KB
-
memory/4332-144-0x0000000000000000-mapping.dmp
-
memory/4332-165-0x0000000005B40000-0x0000000006158000-memory.dmpFilesize
6.1MB
-
memory/4332-169-0x0000000005960000-0x0000000005A6A000-memory.dmpFilesize
1.0MB
-
memory/4332-176-0x0000000006BD0000-0x0000000006D92000-memory.dmpFilesize
1.8MB
-
memory/4332-177-0x0000000006DA0000-0x00000000072CC000-memory.dmpFilesize
5.2MB
-
memory/4332-178-0x0000000000C3C000-0x0000000000C6D000-memory.dmpFilesize
196KB
-
memory/4332-171-0x0000000005AB0000-0x0000000005AEC000-memory.dmpFilesize
240KB
-
memory/4332-157-0x0000000005240000-0x00000000052D2000-memory.dmpFilesize
584KB
-
memory/4332-156-0x0000000005380000-0x0000000005924000-memory.dmpFilesize
5.6MB
-
memory/4332-162-0x0000000000C3C000-0x0000000000C6D000-memory.dmpFilesize
196KB
-
memory/4332-150-0x0000000000400000-0x0000000000AF8000-memory.dmpFilesize
7.0MB
-
memory/4332-149-0x0000000002710000-0x000000000274E000-memory.dmpFilesize
248KB
-
memory/4332-148-0x0000000000C3C000-0x0000000000C6D000-memory.dmpFilesize
196KB
-
memory/4468-173-0x0000000000000000-mapping.dmp