Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6880c370f4f9d9d2913050619c0a8942004e16efbaef12ad3b5496464ff044ac.exe

  • Size

    1.8MB

  • MD5

    70308ff470a1a40c49a8c50e5f2f8e64

  • SHA1

    1a29c5ca546f75d7f62dd71a769a32f05e745a49

  • SHA256

    6880c370f4f9d9d2913050619c0a8942004e16efbaef12ad3b5496464ff044ac

  • SHA512

    7b1c93823e39615357182fecc99207c1f990cf4b676e37438b0c295432225b02625c0104a09292a757decfa45ff3f29be7b0583c62f35ee1d0e13a2aa94e4f28

  • SSDEEP

    24576:TJp8g8ExHhUYraOcTW56rp/APR8X/Hk7/IKk3vKDZ1ey9byUuUIGuBFQNsmYM+mI:TJpDHhUxrp/Q2/HwSu5oBFQSmYMi

Score
10/10
amadeyevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6880c370f4f9d9d2913050619c0a8942004e16efbaef12ad3b5496464ff044ac.exe
    "C:\Users\Admin\AppData\Local\Temp\6880c370f4f9d9d2913050619c0a8942004e16efbaef12ad3b5496464ff044ac.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4464
  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          4⤵
            PID:544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3280
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:744

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
        Filesize

        1.8MB

        MD5

        70308ff470a1a40c49a8c50e5f2f8e64

        SHA1

        1a29c5ca546f75d7f62dd71a769a32f05e745a49

        SHA256

        6880c370f4f9d9d2913050619c0a8942004e16efbaef12ad3b5496464ff044ac

        SHA512

        7b1c93823e39615357182fecc99207c1f990cf4b676e37438b0c295432225b02625c0104a09292a757decfa45ff3f29be7b0583c62f35ee1d0e13a2aa94e4f28

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_laiyiw4o.gog.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
        Filesize

        109KB

        MD5

        2afdbe3b99a4736083066a13e4b5d11a

        SHA1

        4d4856cf02b3123ac16e63d4a448cdbcb1633546

        SHA256

        8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

        SHA512

        d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
        Filesize

        1.2MB

        MD5

        92fbdfccf6a63acef2743631d16652a7

        SHA1

        971968b1378dd89d59d7f84bf92f16fc68664506

        SHA256

        b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

        SHA512

        b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

        Download Submit

      • memory/2712-64-0x00007FFE92470000-0x00007FFE92F31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2712-57-0x0000022357020000-0x000002235702A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2712-56-0x00000223574F0000-0x0000022357502000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2712-55-0x0000022357030000-0x0000022357040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2712-54-0x0000022357030000-0x0000022357040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2712-53-0x00007FFE92470000-0x00007FFE92F31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2712-48-0x0000022357040000-0x0000022357062000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3696-27-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-65-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-85-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-19-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-20-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-21-0x0000000004A70000-0x0000000004A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-22-0x0000000004A80000-0x0000000004A81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-23-0x0000000004A60000-0x0000000004A61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-24-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-25-0x0000000004A40000-0x0000000004A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-26-0x0000000004A50000-0x0000000004A51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-84-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-29-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-28-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-30-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-83-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-82-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-81-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-80-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-79-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-78-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-77-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3696-63-0x0000000000870000-0x0000000000D26000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4464-6-0x0000000004C80000-0x0000000004C81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-2-0x0000000000FC0000-0x0000000001476000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4464-16-0x0000000000FC0000-0x0000000001476000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4464-1-0x00000000778D4000-0x00000000778D6000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4464-4-0x0000000004C60000-0x0000000004C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-5-0x0000000004C40000-0x0000000004C41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-3-0x0000000004C50000-0x0000000004C51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-7-0x0000000004C20000-0x0000000004C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-8-0x0000000004C30000-0x0000000004C31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-9-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-10-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4464-0-0x0000000000FC0000-0x0000000001476000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4464-12-0x0000000000FC0000-0x0000000001476000-memory.dmp

        Filesize

        4.7MB

        Download