amadey | cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec2c94a21a52027c229a7824d4a1c5ca.exe
Size

791KB
MD5

ec2c94a21a52027c229a7824d4a1c5ca
SHA1

b17aa25017bf7d0af7ffb946bcace0d51331d351
SHA256

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
SHA512

f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761
SSDEEP

24576:Skt2zwjdnAwQ4x2K3yWds0JkKyV0+mZbmNrUCV+7d9/1:PnnAlpadsLK+mZSgfpF

Score

10^/10

amadey risepro persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

risepro

193.233.132.62:50500

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Blocklisted process makes network request 1 IoCs

flow	pid	Process
62	2856	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ec2c94a21a52027c229a7824d4a1c5ca.exe

Executes dropped EXE 4 IoCs

pid	Process
636	explorhe.exe
4372	zonak.exe
5044	explorhe.exe
3420	explorhe.exe

Loads dropped DLL 1 IoCs

pid	Process
2856	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000527001\\zonak.exe"	explorhe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

pid	Process
636	explorhe.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe
636	explorhe.exe
4372	zonak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
536	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
520	ec2c94a21a52027c229a7824d4a1c5ca.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
520	ec2c94a21a52027c229a7824d4a1c5ca.exe
636	explorhe.exe
4372	zonak.exe
5044	explorhe.exe
3420	explorhe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 636	520	ec2c94a21a52027c229a7824d4a1c5ca.exe	90
PID 520 wrote to memory of 636	520	ec2c94a21a52027c229a7824d4a1c5ca.exe	90
PID 520 wrote to memory of 636	520	ec2c94a21a52027c229a7824d4a1c5ca.exe	90
PID 636 wrote to memory of 536	636	explorhe.exe	91
PID 636 wrote to memory of 536	636	explorhe.exe	91
PID 636 wrote to memory of 536	636	explorhe.exe	91
PID 636 wrote to memory of 4372	636	explorhe.exe	97
PID 636 wrote to memory of 4372	636	explorhe.exe	97
PID 636 wrote to memory of 4372	636	explorhe.exe	97
PID 636 wrote to memory of 2856	636	explorhe.exe	102
PID 636 wrote to memory of 2856	636	explorhe.exe	102
PID 636 wrote to memory of 2856	636	explorhe.exe	102

C:\Users\Admin\AppData\Local\Temp\ec2c94a21a52027c229a7824d4a1c5ca.exe
"C:\Users\Admin\AppData\Local\Temp\ec2c94a21a52027c229a7824d4a1c5ca.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\1000527001\zonak.exe
    "C:\Users\Admin\AppData\Local\Temp\1000527001\zonak.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4372
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2856

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

Filesize
918B

MD5
4bea37262c3bc0b48668b90c5c226af0

SHA1
4a097ea735f361298bdb75472e50b6cf95a49082

SHA256
dcc7bfb401220c0508d993210ce3b24a47c679fecbfd7976c52738d0f97d7830

SHA512
19999476cb9de9876ab3eb7f8ba55e38c6a588b0c828a2f2bf254fdfcd91507de189a14e8f61bef79c540ee59229bf74b813a9167a8f93a35c2d1538dd40a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000527001\zonak.exe

Filesize
1.2MB

MD5
32deb2398aab739048ba49279dc402bd

SHA1
041a12bfcfadeb11e1f68f4de316a98148aaa63d

SHA256
32e45a2553dd7faa47a4cf03ebaf78b6278f0c0198ff59e70991495c4262a88f

SHA512
32c20011d532b8b3e8fc3b9cc6e5fc72630a1cd7cd5052c35f43e68ccf14b587d816cb3191d13730ddf79064ebcf1c302efa6a62707aae034377b82c869a256a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000532001\leg221.exe

Filesize
1KB

MD5
a9aef39375c68b4e9646126b16827a5b

SHA1
cff7f60ddb2ae38bdc6d82d9012d3cf0b6e69471

SHA256
8a80d87e3b0718b1771fe893b0ad9fbe0614b58e56839e95e6adde67320e7c67

SHA512
54afb820f2a489f13054921116a1b6734304a52fcc9d4923b03394215840f870eb50ef8e0681f8fafc733f1514e0fcd3a538802ba120dfe1069fa3ca8490a59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000533001\Zjqkz.exe

Filesize
1KB

MD5
1cb83aaf95f4e9b0a5211286d6fad950

SHA1
cb03bc3700605925105023216054875ba17f2aad

SHA256
05dfbb23c05b7aec5ea88175dd4c6e27d0a5c6ae6c132d55f3876f01f15d2b37

SHA512
d74a4edf11bc162e42b0b1f6ebd62ccf91f3ffa48378374ec5c09b5a0d56388621440a6c169ae12ec04d8a26c198c9d095b090abb8d1e5fd5a9544fc7f305cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000534001\crypted.exe

Filesize
1KB

MD5
446b230e177f8244bc12a1d9544abdfa

SHA1
65cfd0dda3074c6eb4904ab3c7064d4d6f696ee0

SHA256
9f13b93464dbd229064ad11fcf5be447fc10f61f5978aab1772593243a790311

SHA512
f8e64048fbb64c2d0c0102fdb800f15347ed5442342dc74168f84d2fd2df94f6e07f77692b88c63fb9db2daf78304a7eeaa141b79f1c7684cb05993e64252e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000535001\gold1234.exe

Filesize
1KB

MD5
26f03f777f9faf7dce488a99bee8580b

SHA1
3c38b4914e02d9b18f8e12883fd8efd8c78eaf26

SHA256
12edfe9a8f283d8b1fa23012f4b77e61c8c1b5d44d85d68472351c6e4e40d1d5

SHA512
33a1147471a521d521c1236f56156f859f85671624c089f65fd631b371deaf91234fcb9463f342d4933a847bdcaed29d3451e319137625adb3be831571fea509

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000536001\rdx1122.exe

Filesize
1KB

MD5
0f1c3e46a1c620d5597db287ba4beb38

SHA1
7b4a8e25ea15090d334322ee022e8ca7055c7f0d

SHA256
fed76b751238fcfd8f1d569aed7adbe37f7250eac65ce0fcd598829adb64af67

SHA512
6606f07db477e237964a668e86c363f78f9238f739a86c8ea646eb5d0607c042000d4c5fa03485a16811e8b3734d331c6fe0073bec51745389dace2977e292a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000537001\Miner-XMR1.exe

Filesize
1KB

MD5
e859a88628a2bf24d5803e22886bdbe8

SHA1
f26986c25dade7219483704aa43efc26c75e82d4

SHA256
1455f8467abbf5164f791e972f0a954a3dd64d51b3b9ed5252b9b43c4b940c3f

SHA512
e5fa1f0f927bde18bba4eca88785f83d212286a47eefc516dd68e7039b458b4edffd3e71798801a2bdc7aa798a55c06d709366b3154bebd71ade04308843d3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000538001\pixelcloudnew2.exe

Filesize
1KB

MD5
05d8e5c59d55b0eb7fb1d5531206fdd6

SHA1
a9e1f631a361a0db6093ada3f19f1dad55a04669

SHA256
baf40a182b568902d776f72488598d381d954f77de916fc9eda74c17b899ca45

SHA512
8af386cbd9a2cfe7df45297b26159ddac4efb376d3d1096b033b97669841557c218f48f9f3552687dc9aecf5cd9cc0d2cc938065740790e5aa8f2073b47ca32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000539001\flesh.exe

Filesize
1KB

MD5
bdd8cb6f1aebf782844af830252a8f88

SHA1
d38492bc7d521c21e62e7968ed283e51728f85f7

SHA256
4320f52cdc71882ac6cb1643c573f636aa8459678ac0574e0292d75b4ad1889f

SHA512
7dd12add0483318e524fb512e71f2dd257d25076249da6826e81317fa1d04f2f09b0b34408cfefda54f6b04c716ba4c264934e9700243ff1c1c87fb7d12bc984

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Filesize
791KB

MD5
ec2c94a21a52027c229a7824d4a1c5ca

SHA1
b17aa25017bf7d0af7ffb946bcace0d51331d351

SHA256
cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e

SHA512
f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8

Filesize
14B

MD5
c15bc8a29020a97a08e4003a05956877

SHA1
7ecedfbdc4d14f7bedf5ec4979051458103c7e0b

SHA256
007b40b86fa555a75f1a0946fb0f0bc9fd903d1f5a3625ad3d61120593e34f0f

SHA512
c2bb8b64670d7ff4688f1b64a9c8e66cbe59ccd52e8e9504658957ccb33b9266805396a9989d6930828993e102f53f9a99035b2e26c417449276f194c0060be1

Download Submit
memory/520-0-0x0000000000660000-0x0000000000A68000-memory.dmp

Filesize
4.0MB

Download
memory/520-16-0x0000000000660000-0x0000000000A68000-memory.dmp

Filesize
4.0MB

Download
memory/520-6-0x0000000000660000-0x0000000000A68000-memory.dmp

Filesize
4.0MB

Download
memory/520-2-0x0000000000660000-0x0000000000A68000-memory.dmp

Filesize
4.0MB

Download
memory/520-1-0x0000000000660000-0x0000000000A68000-memory.dmp

Filesize
4.0MB

Download
memory/636-238-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-258-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-270-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-268-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-224-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-17-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-236-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-214-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-15-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-254-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-240-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-260-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-242-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-252-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-245-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/636-256-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/3420-264-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/3420-267-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/4372-251-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-239-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-271-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-255-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-114-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-257-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-243-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-259-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-241-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-261-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-253-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-237-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-223-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/4372-269-0x00000000007F0000-0x0000000000CD3000-memory.dmp

Filesize
4.9MB

Download
memory/5044-246-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download
memory/5044-250-0x00000000000B0000-0x00000000004B8000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads