amadey | 00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0

Analysis

max time kernel
11s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67cb1519b04712177716a6c87cf51264.exe
Size

790KB
MD5

67cb1519b04712177716a6c87cf51264
SHA1

e77caf42107a191354ffb6c978be9eb7f09da831
SHA256

00c430ff9419de414c9a73a7dbbdbc1ca235e509e7d89c5ea2f948938c869ab0
SHA512

570634c4da43101fe3643434bd37c80627d1b3c88094d7b276dba00b80aba8af4528dcc0ed2122560f3d5557b96e7c26a156e34e8dca3a5a799386a0cfcbdb61
SSDEEP

24576:poxaB/nPwQbaiyIakEL5JYqDZbmNrU0W0Rl:pP/nPlLL85JRZSgu

Score

10^/10

amadey risepro persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67cb1519b04712177716a6c87cf51264.exeexplorhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	67cb1519b04712177716a6c87cf51264.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	explorhe.exe

Executes dropped EXE 5 IoCs

Processes:

explorhe.exelivak.exezonak.exeexplorhe.exeSetupPowerGREPDemo.exe

pid process

324 explorhe.exe
3480 livak.exe
4700 zonak.exe
3032 explorhe.exe
1244 SetupPowerGREPDemo.exe

pid	process
324	explorhe.exe
3480	livak.exe
4700	zonak.exe
3032	explorhe.exe
1244	SetupPowerGREPDemo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\livak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000392001\\livak.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000434001\\zonak.exe"	explorhe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exezonak.exeexplorhe.exe

pid process

3572 67cb1519b04712177716a6c87cf51264.exe
4700 zonak.exe
324 explorhe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2592 schtasks.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exeexplorhe.exezonak.exeexplorhe.exe

pid process

3572 67cb1519b04712177716a6c87cf51264.exe
324 explorhe.exe
4700 zonak.exe
3032 explorhe.exe

pid	process
3572	67cb1519b04712177716a6c87cf51264.exe
4700	zonak.exe
324	explorhe.exe

pid	process
2592	schtasks.exe

pid	process
3572	67cb1519b04712177716a6c87cf51264.exe
324	explorhe.exe
4700	zonak.exe
3032	explorhe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

67cb1519b04712177716a6c87cf51264.exeexplorhe.exe

description	pid	process	target process
PID 3572 wrote to memory of 324	3572	67cb1519b04712177716a6c87cf51264.exe	explorhe.exe
PID 3572 wrote to memory of 324	3572	67cb1519b04712177716a6c87cf51264.exe	explorhe.exe
PID 3572 wrote to memory of 324	3572	67cb1519b04712177716a6c87cf51264.exe	explorhe.exe
PID 324 wrote to memory of 2592	324	explorhe.exe	schtasks.exe
PID 324 wrote to memory of 2592	324	explorhe.exe	schtasks.exe
PID 324 wrote to memory of 2592	324	explorhe.exe	schtasks.exe
PID 324 wrote to memory of 3480	324	explorhe.exe	livak.exe
PID 324 wrote to memory of 3480	324	explorhe.exe	livak.exe
PID 324 wrote to memory of 3480	324	explorhe.exe	livak.exe
PID 324 wrote to memory of 4700	324	explorhe.exe	zonak.exe
PID 324 wrote to memory of 4700	324	explorhe.exe	zonak.exe
PID 324 wrote to memory of 4700	324	explorhe.exe	zonak.exe
PID 324 wrote to memory of 1244	324	explorhe.exe	SetupPowerGREPDemo.exe
PID 324 wrote to memory of 1244	324	explorhe.exe	SetupPowerGREPDemo.exe

C:\Users\Admin\AppData\Local\Temp\67cb1519b04712177716a6c87cf51264.exe
"C:\Users\Admin\AppData\Local\Temp\67cb1519b04712177716a6c87cf51264.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2592

C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe
"C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe"
3⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe
"C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe
"C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe"
3⤵
- Executes dropped EXE
PID:1244

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe
Filesize
369KB

MD5
7cd708c175e4c8827c50f9e6d73f3f93

SHA1
182e3d575775118ba6a18a38467fe471815a8f0c

SHA256
46b3f5f619c7c6ae40941ec850e5217cc7f86cd7b2fff9d04ac367fed8f7b348

SHA512
1d21765c0781bd9430e3334ed366bdc047cda8b40bcc5e32eb25f02479228d9d2b8f34f987c399b9484714ce0cf37f8831c6935f1aed00b8441b9abc677a86f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe
Filesize
176KB

MD5
0acbe58cdf86f4c45f4515bebc15d170

SHA1
ac6fe45b031bc7573d9df78b5b287766fba6e33e

SHA256
a0a013d8313fecea4d3cb9d839e7f3c81b47503dc2bddb71f88a16cedabb321a

SHA512
bdf91de0ccdc0036b1a74fda0f8c28f954a430d5a8fd7e05a77a1b09f5f01f32d87b25d36469113fbde388381040790857920962bdb08fe2a72b090a85bf932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000392001\livak.exe
Filesize
175KB

MD5
11e4aad2157f4111625a998cc2922e45

SHA1
99874b2143686d222b3f733805afd06963a31306

SHA256
2d3907014ba2826077e265008a5f79d623060e18676700eda3187b3696ee4068

SHA512
afeec4439cba44912701b3c7cf23127f63dee4304a20dfd5c513400fc09964e1c5a164ee8b33ab19f474682874e0ff4675d8d40f36c8c19280f4f301059d17c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe
Filesize
417KB

MD5
3968122bdf70802d38fcc09111c1c6ed

SHA1
bf7057b6a33713e575999b518c941e831d7a3263

SHA256
14096eb5003376991de193d238075267bdf6dcd64e960bf81f9e8ef5b907b46f

SHA512
c54a52c2daf0390d1b7647f616b2cab8683800e8d8d088cce7322ea0f982b507c39981aab8c078191e4bdaced20c041888f6a5afd2541b19e1ca904766bbd8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe
Filesize
576KB

MD5
6cb449b15b1a140b2533cbec633cd839

SHA1
11828611d0b4464d19088442bda737303e8cd072

SHA256
e09cd7a26ba90130181d203120ca9c79c5778cc6650969827264081a31bd7890

SHA512
00fb49de3ed5d312f4a3e7c83ee2b9ea11776b2342bc2d9bd7f737a962b20344193f0fb54e7291e74df29c488e2f8d8f637c150b4ac2781254d7d4c41525d4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000434001\zonak.exe
Filesize
411KB

MD5
b49d3c9d044ba5152be99ff0db3e0169

SHA1
69f8d6b9b593aa34682050ae85fb2de1cf081627

SHA256
02dedf427a864cf70117821e0bd675b61e39d13f4a9339481d93ed3fcdfca898

SHA512
08293a6c77ab9482d194362bd27927a2e29d9c274af117a85584a01f8f0e7936c23fd53a85c3c31e95fcfda90e1706dfc2a4f8fa750edc285d841103b7dfe28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe
Filesize
613KB

MD5
ab67f1667338f5e1259830163d9beb42

SHA1
4ab7e52ff280e40acd93f136ee4eb5196d29468e

SHA256
4aedf25a6b4780a938afb16fdd5de475a995cbd268c05839b31e404e765bedfa

SHA512
d6944100939adac3d71f13c0198275e490557d980bb47188346913d3958338d3510bc71a8b58e42d1c6c1472c073ba4df260c38a51ac9132c0efb60a56cbfe60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe
Filesize
450KB

MD5
6f9bf992cbb78c826fdfaaffdf28f979

SHA1
65416d66d5ac4b6087281c0f65fba3a911a88ac6

SHA256
4e552914af3db9d78fc046a2a92f77656b89e9d65b47a7626b6c7472c89ab9e1

SHA512
8e8983c2ea4ffb49921882fe7f06746f75ff6e18ff8c7db40a34dd33b25798b9f2b6fd70801c8fe08e8f8b6f148fedc6fc0e18628f1f2eeb52a4b803cd21947f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000441001\SetupPowerGREPDemo.exe
Filesize
226KB

MD5
fa1017b5189ccd8582efd3729b2cca39

SHA1
0f1e58749b52430f8ab9a22a3cd0f8a8c07a1e62

SHA256
a01fedc48256fc32c7fcbf03fe1cc120475b6f9c23ed8b9da6996d7812e41121

SHA512
d08d61b84ebfcbfed5fc32a0be4ab8ab6db6d3be06142da769da4973fe2fa57b61840ae96f587477028e24898d8189ee772dd7ee88e9836662bbab9d6a478d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
592KB

MD5
520de4ec475e9bb26c23732b4e972527

SHA1
96284cc1947f0d44b7236ad1c62542c670800e3b

SHA256
d0fd7b66b203d683364b9eb880b3f16cef8b576c54d7e4c154737d6366e09297

SHA512
3be759130751cc5eb2ad0df17f76f11cb09b9bd3acb93f64b3ad4332f1f691185ba519db801f02380dce37acf56ebf5973d80b9e8b1147c9ae9bbd9d4f7ee181

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
659KB

MD5
9166076ee909b475a9e4cfe865ebe45c

SHA1
9c119ff0f22e67c4443256a8c637f02f464de0b2

SHA256
01bf514ff2e54a80b35b5c9525273141dde1db988dba31c52aeffcf7703ce1f2

SHA512
69af41fb905291fc015548276e6a39dadea1b8c0778e925dd38c2c2a75a4a5921634af5b9a6efb419925a148ddc35e79989fa9dd8579d81e1ebf9fd0c049834f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
303KB

MD5
c4c09bbd23fa817cebd6bd26495a6b75

SHA1
0b9b420a8202d41326222b23af526c167c7b8b7c

SHA256
1802657bc3d1bd857e1dfba7f0ca3595093a62c5311b4b700b988c4b91d49efd

SHA512
6879f98a0aeb4ff7b8449edbe6a97f05b5706d0315e75887e75f872666d587f48391206af8a0c8fb46c5bf161fc647846c7c9dfffcef4fbece951ce1458ed2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
757KB

MD5
8b37e7a037cdfb60447bbf018a224389

SHA1
a607f6828ce248865eafc6232a28a672e27d94b2

SHA256
e1a633696e8dffe40f6fa93625700f57443173c97e8d9b4ce2f9f7d3eb2cefa7

SHA512
981f7b74764ee2b6fa58c6f33e8df7fd3f51c5675886761ecfa1fca13e6a662190246a3f47c2ae7a61670163ac773415298584820784c094166f042bfb677ce7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
e89ac1f7b3083ec3c93283ec05fecf79

SHA1
489b25a1a12157a6b3ce503b091feee61522ffc5

SHA256
60a8cdd10cb25eef274723b0c24b5d140a5ef2402455f7a03dc44844b867dbde

SHA512
1c498b1b8733fe257e1c57e1b89641909af085b35a3becfc9893616205e9d3efce9e14345a3080b0d3b75bfff97bd36ecc819126b511088ab10476fb77ca7187

Download Submit
memory/324-16-0x0000000000B20000-0x0000000000F28000-memory.dmp

Filesize
4.0MB

Download
memory/324-17-0x0000000000B20000-0x0000000000F28000-memory.dmp

Filesize
4.0MB

Download
memory/324-83-0x0000000000B20000-0x0000000000F28000-memory.dmp

Filesize
4.0MB

Download
memory/324-14-0x0000000000B20000-0x0000000000F28000-memory.dmp

Filesize
4.0MB

Download
memory/3032-60-0x0000000000B20000-0x0000000000F28000-memory.dmp

Filesize
4.0MB

Download
memory/3032-63-0x0000000000B20000-0x0000000000F28000-memory.dmp

Filesize
4.0MB

Download
memory/3572-13-0x0000000000F50000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/3572-1-0x0000000000F50000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/3572-2-0x0000000000F50000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/3572-0-0x0000000000F50000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/4700-55-0x0000000000280000-0x000000000079D000-memory.dmp

Filesize
5.1MB

Download