Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 11:22

General

  • Target

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe

  • Size

    391KB

  • MD5

    19d257c7f63ff3dbf8b5ae26f2c1b45a

  • SHA1

    dc84514dd1471efa7db9e34c43c6a60827dadad0

  • SHA256

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

  • SHA512

    7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

  • SSDEEP

    6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj

Malware Config

Extracted

Family

amadey

Version

3.21

C2

http://185.215.113.204

Attributes
  • install_dir

    580e612ff0

  • install_file

    bguuwe.exe

  • strings_key

    11ae05ddf878fd8a904552f1e0be6ecb

  • url_paths

    /Lkb2dxj3/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Amadey credential stealer module 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
    "C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
      "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\
          4⤵
            PID:2460
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:2540
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • outlook_win_path
          PID:2720
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {8181A24B-0FFD-425E-A0E7-5F99AA96981B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
        C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
        2⤵
        • Executes dropped EXE
        PID:1108
      • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
        C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
        2⤵
        • Executes dropped EXE
        PID:2832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    • C:\Users\Admin\AppData\Local\Temp\061713141703

      Filesize

      65KB

      MD5

      3b3a84129858dc28055a6f99d05aa1a6

      SHA1

      072d4b5d6db20a94061873c2e952ad1a15c00e56

      SHA256

      b21d43e677aa2d86f63004f306dad96cfffc0c6eda10467f707626c30115d5c0

      SHA512

      c489d6daa956ffde2ffc154185e52a9493d0c54e666b9665715828a3921e6e22769e341e195e527e545aae26f27224ec001114a498ea2220ebee198599a95988

    • C:\Users\Admin\AppData\Local\Temp\Tar9361.tmp

      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    • C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll

      Filesize

      126KB

      MD5

      2930d1a61c3e082b983802bf71266ec0

      SHA1

      9b676931a59da39eac50a08c15d5c4beb22ac366

      SHA256

      5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3

      SHA512

      df8038ac7866a9929d56f138380ec75b78723a5a99ce425f394b216f8a30597a90e6f1173269dda06b3a414b0ccab60a6cf1fef2d0047f5ed010d5c7f9aed53b

    • \Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe

      Filesize

      391KB

      MD5

      19d257c7f63ff3dbf8b5ae26f2c1b45a

      SHA1

      dc84514dd1471efa7db9e34c43c6a60827dadad0

      SHA256

      5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

      SHA512

      7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

    • memory/1108-390-0x00000000004E0000-0x00000000005E0000-memory.dmp

      Filesize

      1024KB

    • memory/1108-392-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/1392-144-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/1392-393-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/1392-16-0x0000000000620000-0x0000000000720000-memory.dmp

      Filesize

      1024KB

    • memory/1392-434-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/1392-266-0x0000000000620000-0x0000000000720000-memory.dmp

      Filesize

      1024KB

    • memory/1392-415-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/1392-399-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/1392-17-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/2812-5-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/2812-2-0x0000000000220000-0x0000000000262000-memory.dmp

      Filesize

      264KB

    • memory/2812-14-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB

    • memory/2812-1-0x0000000000560000-0x0000000000660000-memory.dmp

      Filesize

      1024KB

    • memory/2832-420-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

    • memory/2832-422-0x0000000000400000-0x000000000046E000-memory.dmp

      Filesize

      440KB