Overview

overview

10

Static

static

3

2228e230da...d7.exe

windows7-x64

10

2228e230da...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2228e230da3c69acba17d21614710ed7.exe

  • Size

    482KB

  • MD5

    2228e230da3c69acba17d21614710ed7

  • SHA1

    d393023a13d593b78a39ffddf13de02dd4f969d7

  • SHA256

    cfa888e64110e06bbe0d79f2664f048d6eee82a2278dff86c21e1ae6bb6b51f5

  • SHA512

    3c79c9a56185c2019c844e2b6c731eac268567c6ac962e8e5e316cc0532f971e327c8236e7866ffedb41d001edb5e7d5969b353e270e995c1a5af5db007fa7c4

  • SSDEEP

    12288:H+dGf/lHLV+p1VBxjTOYzHHYbkoYDK8kpDpD5fdMV:edUdkn5TOcnYbkK8kpDpD5f

Score
10/10
amadeyspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru
Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 6 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2228e230da3c69acba17d21614710ed7.exe
    "C:\Users\Admin\AppData\Local\Temp\2228e230da3c69acba17d21614710ed7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
      "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2200
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2292
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
          4⤵
          • Loads dropped DLL
          PID:2888
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
          4⤵
          • Loads dropped DLL
          PID:3928
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
          4⤵
          • Loads dropped DLL
          PID:1312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1276
      2⤵
      • Program crash
      PID:3084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1488
      2⤵
      • Program crash
      PID:3772
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4140 -ip 4140
    1⤵
      PID:4640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4140 -ip 4140
      1⤵
        PID:3680
      • C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
        C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
        1⤵
        • Executes dropped EXE
        PID:4784
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 432
          2⤵
          • Program crash
          PID:3348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 476
          2⤵
          • Program crash
          PID:3140
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4784 -ip 4784
        1⤵
          PID:448
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4784 -ip 4784
          1⤵
            PID:2524
          • C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
            C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
            1⤵
            • Executes dropped EXE
            PID:4148
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 432
              2⤵
              • Program crash
              PID:4492
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 456
              2⤵
              • Program crash
              PID:4504
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4148 -ip 4148
            1⤵
              PID:3516
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4148 -ip 4148
              1⤵
                PID:844

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\398549320365
                Filesize

                77KB

                MD5

                b77750e2cc3aebb496589f149004d73c

                SHA1

                b3122572e44a4d83e138f31a6b1c3ded2b07ea13

                SHA256

                dc0148f5c89bd34eb11a87eb940b0018fd0020f7dc4353ad89d89311023ebac3

                SHA512

                2a2b25c8580ad48b021f9862fdcf9eae09eda72ce32514f3a0099bda958eb1d3d80cbc63c62d2f504bf163378cbc65e2fb310bb2f9f2238f85edb6c26b9a7607

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
                Filesize

                482KB

                MD5

                2228e230da3c69acba17d21614710ed7

                SHA1

                d393023a13d593b78a39ffddf13de02dd4f969d7

                SHA256

                cfa888e64110e06bbe0d79f2664f048d6eee82a2278dff86c21e1ae6bb6b51f5

                SHA512

                3c79c9a56185c2019c844e2b6c731eac268567c6ac962e8e5e316cc0532f971e327c8236e7866ffedb41d001edb5e7d5969b353e270e995c1a5af5db007fa7c4

                Download Submit

              • C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
                Filesize

                1.1MB

                MD5

                f01f5bc76b9596e0cfeab8a272cba3a5

                SHA1

                19cab1291e4e518ae636f2fb3d41567e4e6e4722

                SHA256

                83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

                SHA512

                ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

                Download Submit

              • memory/764-41-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/764-19-0x00000000020D0000-0x000000000213F000-memory.dmp

                Filesize

                444KB

                Download

              • memory/764-42-0x0000000000630000-0x0000000000730000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/764-72-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/764-21-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/764-26-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/764-67-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/764-18-0x0000000000630000-0x0000000000730000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/764-77-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4140-2-0x0000000000620000-0x000000000068F000-memory.dmp

                Filesize

                444KB

                Download

              • memory/4140-20-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4140-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4140-28-0x00000000006A0000-0x00000000007A0000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4140-3-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4148-73-0x0000000000620000-0x0000000000720000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4148-74-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4784-48-0x0000000000400000-0x0000000000480000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4784-47-0x0000000000480000-0x0000000000580000-memory.dmp

                Filesize

                1024KB

                Download