Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-03-2024 08:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96e7a02799075bbf3a589b93fbdd04a570cb1319764065f91d066a10a69f3fd3.exe

  • Size

    1.8MB

  • MD5

    f83d4111bc57bd8b891a321ea251641e

  • SHA1

    2da26c58ad6dff8f22a1534a9ca0408cd7209deb

  • SHA256

    96e7a02799075bbf3a589b93fbdd04a570cb1319764065f91d066a10a69f3fd3

  • SHA512

    01632257096ad08cfe6aeebb4b7a0c446ea818bd14b8abbdbf830a697b35b889e38a994b96122fa3463429554b810d2253826f21b5143323193dff37c6574cc7

  • SSDEEP

    49152:b2t4+BKZ9c4wX2DzDcnR1FNAm0SeQVUdx:b2xBKbcAMRv+HSeQ2T

Score
10/10
amadeyevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96e7a02799075bbf3a589b93fbdd04a570cb1319764065f91d066a10a69f3fd3.exe
    "C:\Users\Admin\AppData\Local\Temp\96e7a02799075bbf3a589b93fbdd04a570cb1319764065f91d066a10a69f3fd3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3560
  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          4⤵
            PID:3892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip' -CompressionLevel Optimal
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:872
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3616

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    2
    T1552.001

    Credentials in Registry

    1
    T1552.002

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
      Filesize

      1.8MB

      MD5

      f83d4111bc57bd8b891a321ea251641e

      SHA1

      2da26c58ad6dff8f22a1534a9ca0408cd7209deb

      SHA256

      96e7a02799075bbf3a589b93fbdd04a570cb1319764065f91d066a10a69f3fd3

      SHA512

      01632257096ad08cfe6aeebb4b7a0c446ea818bd14b8abbdbf830a697b35b889e38a994b96122fa3463429554b810d2253826f21b5143323193dff37c6574cc7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\852399462405_Desktop.zip
      Filesize

      156KB

      MD5

      32da6e529adf07ff0ba828a50a4b7d03

      SHA1

      5b6eac66bc00455d0e1dcb0890e9ad4e56b780ee

      SHA256

      853f08e75b264321951ee99d0413106972ff018ff70ffd71722b9b766e5635c7

      SHA512

      70f7e514f88aa1846419a3c1342c723240661a4fca7c8da6b49fda231f8271392eb5dc47d3ebff8dfc84e857170c1fbfc77d95da92002c99722f4ba70c784b95

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_Files_\MountCompress.txt
      Filesize

      156KB

      MD5

      603c74afee1c560a744fcc607a5bffae

      SHA1

      1faa7c45996a341b86ed30571a32ec3980f8ac11

      SHA256

      4fb16c1a392465b7ce9f345866b00a020500f75ce965e147ccac1b91573d49c3

      SHA512

      6dff1266d69d046461465a65ac7e13a3a968daef8866cf9a7272e9d0f60057f2e5a14faf2e9d9b24894d32be7f09c75acf35d73475de6fa8afeb77d4048199bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmklnblu.xey.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
      Filesize

      109KB

      MD5

      2afdbe3b99a4736083066a13e4b5d11a

      SHA1

      4d4856cf02b3123ac16e63d4a448cdbcb1633546

      SHA256

      8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

      SHA512

      d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
      Filesize

      1.2MB

      MD5

      92fbdfccf6a63acef2743631d16652a7

      SHA1

      971968b1378dd89d59d7f84bf92f16fc68664506

      SHA256

      b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

      SHA512

      b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

      Download Submit
    • memory/872-55-0x0000019A6B2A0000-0x0000019A6B2B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/872-54-0x0000019A6AFB0000-0x0000019A6AFC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/872-52-0x0000019A6AFB0000-0x0000019A6AFC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/872-51-0x00007FFF05580000-0x00007FFF06042000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/872-56-0x0000019A6AFA0000-0x0000019A6AFAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/872-50-0x0000019A6B130000-0x0000019A6B152000-memory.dmp
      Filesize

      136KB

      Download
    • memory/872-61-0x00007FFF05580000-0x00007FFF06042000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1812-27-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-18-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-21-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-22-0x0000000004E90000-0x0000000004E91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-20-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-23-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-24-0x0000000004E70000-0x0000000004E71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-25-0x0000000004E80000-0x0000000004E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-26-0x0000000004F00000-0x0000000004F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1812-83-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-28-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-63-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-82-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-81-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-80-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-79-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-53-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-19-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-78-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-77-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-76-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1812-64-0x0000000000340000-0x0000000000808000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3560-7-0x0000000005140000-0x0000000005141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-2-0x00000000006C0000-0x0000000000B88000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3560-3-0x0000000005160000-0x0000000005161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-1-0x00000000776E6000-0x00000000776E8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3560-6-0x0000000005130000-0x0000000005131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-4-0x0000000005150000-0x0000000005151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-5-0x0000000005190000-0x0000000005191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-8-0x0000000005170000-0x0000000005171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-9-0x00000000051C0000-0x00000000051C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-10-0x00000000051B0000-0x00000000051B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3560-15-0x00000000006C0000-0x0000000000B88000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3560-0-0x00000000006C0000-0x0000000000B88000-memory.dmp
      Filesize

      4.8MB

      Download