Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-03-2024 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc9e77808288969ffb55b9b4288751746c1af27431a2c9d80b0988a8ba1eecd9.exe

  • Size

    1.8MB

  • MD5

    3ee6c265c7ee4d8851d89fc62ae1f9bc

  • SHA1

    35cfddb7801f3cc6360f7c7083d4ba578e96bf1f

  • SHA256

    bc9e77808288969ffb55b9b4288751746c1af27431a2c9d80b0988a8ba1eecd9

  • SHA512

    62e7f692e570d2420cbb86d0fb93e3872d4ff9e7a0cee735b4c624c14f13ac5515fcdd97c0078a0af72e3589b53772d85722659c4ea721c15e0af48afce85996

  • SSDEEP

    49152:NoXjR2GaQTqvH4KFxvh6EFbGqmP9C8EFJOVWS5NWFuGXom1:+F2GaAqvH4mxvhV+k8ETUW7wGYm

Score
10/10
amadeyevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc9e77808288969ffb55b9b4288751746c1af27431a2c9d80b0988a8ba1eecd9.exe
    "C:\Users\Admin\AppData\Local\Temp\bc9e77808288969ffb55b9b4288751746c1af27431a2c9d80b0988a8ba1eecd9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3852
  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3288
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          4⤵
            PID:4556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:876
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
      Filesize

      1.8MB

      MD5

      3ee6c265c7ee4d8851d89fc62ae1f9bc

      SHA1

      35cfddb7801f3cc6360f7c7083d4ba578e96bf1f

      SHA256

      bc9e77808288969ffb55b9b4288751746c1af27431a2c9d80b0988a8ba1eecd9

      SHA512

      62e7f692e570d2420cbb86d0fb93e3872d4ff9e7a0cee735b4c624c14f13ac5515fcdd97c0078a0af72e3589b53772d85722659c4ea721c15e0af48afce85996

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uzghhbte.uzt.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
      Filesize

      109KB

      MD5

      2afdbe3b99a4736083066a13e4b5d11a

      SHA1

      4d4856cf02b3123ac16e63d4a448cdbcb1633546

      SHA256

      8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

      SHA512

      d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
      Filesize

      1.2MB

      MD5

      92fbdfccf6a63acef2743631d16652a7

      SHA1

      971968b1378dd89d59d7f84bf92f16fc68664506

      SHA256

      b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

      SHA512

      b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

      Download Submit

    • memory/876-61-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/876-55-0x000001E17AA90000-0x000001E17AA9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/876-54-0x000001E17AC00000-0x000001E17AC12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/876-52-0x000001E17AAB0000-0x000001E17AAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-49-0x000001E17AA50000-0x000001E17AA72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/876-51-0x000001E17AAB0000-0x000001E17AAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/876-50-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1056-27-0x0000000005950000-0x0000000005951000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-81-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-18-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-19-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-21-0x0000000005910000-0x0000000005911000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-22-0x00000000058F0000-0x00000000058F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-20-0x0000000005900000-0x0000000005901000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-23-0x0000000005930000-0x0000000005931000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-24-0x00000000058D0000-0x00000000058D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-25-0x00000000058E0000-0x00000000058E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-26-0x0000000005960000-0x0000000005961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1056-62-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-28-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-80-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-79-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-78-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-77-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-76-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-75-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-53-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/1056-63-0x0000000000F20000-0x00000000013D6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3852-6-0x00000000055F0000-0x00000000055F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-2-0x0000000000D40000-0x00000000011F6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3852-4-0x00000000055D0000-0x00000000055D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-5-0x00000000055B0000-0x00000000055B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-1-0x0000000077C76000-0x0000000077C78000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3852-3-0x00000000055C0000-0x00000000055C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-15-0x0000000000D40000-0x00000000011F6000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3852-7-0x0000000005590000-0x0000000005591000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-8-0x00000000055A0000-0x00000000055A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-9-0x0000000005620000-0x0000000005621000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-10-0x0000000005610000-0x0000000005611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3852-0-0x0000000000D40000-0x00000000011F6000-memory.dmp

      Filesize

      4.7MB

      Download