Overview

overview

10

Static

static

3

5f344c8009...af.exe

windows7-x64

10

5f344c8009...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe

  • Size

    391KB

  • MD5

    19d257c7f63ff3dbf8b5ae26f2c1b45a

  • SHA1

    dc84514dd1471efa7db9e34c43c6a60827dadad0

  • SHA256

    5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

  • SHA512

    7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

  • SSDEEP

    6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj

Score
10/10
amadeyvidar1827collectioncredmodulespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.21

C2

http://185.215.113.204

Attributes
  • install_dir

    580e612ff0

  • install_file

    bguuwe.exe

  • strings_key

    11ae05ddf878fd8a904552f1e0be6ecb

  • url_paths

    /Lkb2dxj3/index.php

rc4.plain

Extracted

Family

vidar

Version

55.7

Botnet

1827

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80
Attributes
  • profile_id

    1827

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 1 IoCs
    credmodule
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
    "C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
      "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\
          4⤵
            PID:2488
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:3804
        • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
          "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"
          3⤵
          • Executes dropped EXE
          PID:4768
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • outlook_win_path
          PID:2692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1048
        2⤵
        • Program crash
        PID:2720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2084 -ip 2084
      1⤵
        PID:2052
      • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
        C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
        1⤵
        • Executes dropped EXE
        PID:4592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 484
          2⤵
          • Program crash
          PID:4904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4592 -ip 4592
        1⤵
          PID:4596
        • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
          C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
          1⤵
          • Executes dropped EXE
          PID:4824
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 484
            2⤵
            • Program crash
            PID:4840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4824 -ip 4824
          1⤵
            PID:2668

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\115902204129
            Filesize

            76KB

            MD5

            4ca86321da6b7a255d9ead384be64493

            SHA1

            c8aa8ccf0fee039fa66eabd35ac448347895df32

            SHA256

            2b4b64c4670efb6989fee94088bdb8a727be978ddb6ce8114381cd3fb6ce8988

            SHA512

            6e665da6f891a50412b1a4dbbe52d8d7040908421bb02664fe6c7004e160a1b50abae790e97ec0508a44a4b38ff38c5082b148cb0180e1862b69aa6c09341099

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe
            Filesize

            391KB

            MD5

            19d257c7f63ff3dbf8b5ae26f2c1b45a

            SHA1

            dc84514dd1471efa7db9e34c43c6a60827dadad0

            SHA256

            5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af

            SHA512

            7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
            Filesize

            126KB

            MD5

            2930d1a61c3e082b983802bf71266ec0

            SHA1

            9b676931a59da39eac50a08c15d5c4beb22ac366

            SHA256

            5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3

            SHA512

            df8038ac7866a9929d56f138380ec75b78723a5a99ce425f394b216f8a30597a90e6f1173269dda06b3a414b0ccab60a6cf1fef2d0047f5ed010d5c7f9aed53b

            Download Submit

          • memory/2084-20-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2084-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2084-5-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2084-2-0x00000000021B0000-0x00000000021F2000-memory.dmp

            Filesize

            264KB

            Download

          • memory/3108-123-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3108-16-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3108-15-0x0000000002080000-0x00000000020C2000-memory.dmp

            Filesize

            264KB

            Download

          • memory/3108-98-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3108-84-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3108-62-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3108-75-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/3108-14-0x0000000000510000-0x0000000000610000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3108-64-0x0000000000510000-0x0000000000610000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4592-71-0x0000000000520000-0x0000000000620000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4592-72-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/4592-73-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download

          • memory/4768-67-0x0000000000A40000-0x0000000000B40000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4768-49-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4768-48-0x00000000009B0000-0x00000000009FA000-memory.dmp

            Filesize

            296KB

            Download

          • memory/4768-47-0x0000000000A40000-0x0000000000B40000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4768-63-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4768-46-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4768-44-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4768-43-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4768-42-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4768-40-0x0000000000400000-0x0000000000854000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/4824-105-0x0000000000470000-0x0000000000570000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4824-106-0x0000000000400000-0x000000000046E000-memory.dmp

            Filesize

            440KB

            Download