Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 04:28

General

  • Target

    11dcd8e017b0e067e922cfb6507a8dde.exe

  • Size

    421KB

  • MD5

    11dcd8e017b0e067e922cfb6507a8dde

  • SHA1

    80c4e499c9666401a0f9099482c7fa9debe006d5

  • SHA256

    2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

  • SHA512

    52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

  • SSDEEP

    6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes
  • install_dir

    154561dcbf

  • install_file

    Dctooux.exe

  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199673019888

https://t.me/irfail

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

94.228.162.82:6606

94.228.162.82:7707

94.228.162.82:8808

Mutex

YBc01FE5mcOd

Attributes
  • delay

    3

  • install

    true

  • install_file

    appBroker.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Vidar Stealer 7 IoCs
  • Detect ZGRat V1 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 25 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
    "C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
      "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
        "C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:2936
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
        3⤵
        • Loads dropped DLL
        PID:1528
      • C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
        "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
        3⤵
          PID:2356
        • C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
          "C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
          3⤵
          • Executes dropped EXE
          • Modifies system certificate store
          PID:1732
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
          3⤵
          • Loads dropped DLL
          PID:2744
        • C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
          "C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
              5⤵
              • Creates scheduled task(s)
              PID:828
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat""
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2116
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:1196
            • C:\Users\Admin\AppData\Roaming\appBroker.exe
              "C:\Users\Admin\AppData\Roaming\appBroker.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1516
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:2672
            • C:\Windows\system32\netsh.exe
              netsh wlan show profiles
              5⤵
                PID:2676

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        2708f99555a19f62161d1ec74b98b025

        SHA1

        bee3c268c1edc30dac20df7fbc0d96927ce1cc42

        SHA256

        c69168882c16d825b72a3187da94dc7981b4cc26e9377f40aee4dbd61371af07

        SHA512

        c934526e5df8573c34510c72fbf7f95b4512b1aa4a488787dc69dfe932189599c720f973716f09215346fa18bbe5c09ec8b2ccf735858a799b25a43c500dfbd8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        def1a3452107faeeac2e09e0a4c0c4f5

        SHA1

        ee2ec5ded1799471c8e4d59f33b247d9a2f49f71

        SHA256

        649f6ca82a92705c13ef05e5e72b7809c19861809f83c3ea7fa82c02dcc19b33

        SHA512

        0e4e8a2a0b6a3335c1d57d7656bf831ebcd47d5e5d7972f7f671b3bd6d0fbccddb44544b8053d8edec85ef8f1877104c8d72f45532641ca7cba5aeb64daeb31f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        a3aa3f98d2bd55d77772562dd0deab3e

        SHA1

        942ff9f21a5cfa4a701345539bd869c4360e6e42

        SHA256

        19c01700c14a839d796a17a03885b33abba850f194da07371c17d722ed5d3827

        SHA512

        86778e0a7aa2f0d7439f6100a1af7078ab9a80ed8e83b6e36f403bc7b4cd2e292d3b0ea65d4f96115ac5536230c76e750162b2c9659955fb4b3dc9b1d63eddb6

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\76561199673019888[1].htm

        Filesize

        33KB

        MD5

        c2d3beea5e1fa27b3fc1d4a3584dacf2

        SHA1

        848c4db90300cd6f08188b8045c0bba40f309bb1

        SHA256

        345fbfb05b3d1966a6d26463a5a542f2d6d62658982352705d735f546b1cf291

        SHA512

        996fdc6929fce1aeaad7d93c6a2436137d67c7c7ab7ed0b60e389542e4cf6e620407dfac6cf68f0184aadd94975ac4f3737765c9db2110a6bffcbf002fea0739

      • C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

        Filesize

        300KB

        MD5

        b099ea0b80ecf49caa0d7003e0c95071

        SHA1

        228a2aec5cf27fd0fca1f23161257f86bd8359ca

        SHA256

        810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92

        SHA512

        539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

      • C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

        Filesize

        243KB

        MD5

        37976db9d0e6f8bf9db5ae4b56006d9d

        SHA1

        dda3158d09c332c054d01fa08ad9824cb00c7d6a

        SHA256

        2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687

        SHA512

        fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

      • C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

        Filesize

        421KB

        MD5

        11dcd8e017b0e067e922cfb6507a8dde

        SHA1

        80c4e499c9666401a0f9099482c7fa9debe006d5

        SHA256

        2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

        SHA512

        52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

      • C:\Users\Admin\AppData\Local\Temp\248906074286

        Filesize

        62KB

        MD5

        6d9522c9251f292af2c380ff042fde38

        SHA1

        3038da236ae759a7dd67cd2f2ddcdf537e266b5a

        SHA256

        f70795f1e0061f2a7bcfb337ac10313c514abb55053dc10092ce428036e21107

        SHA512

        4ed4ce0bd24541539cbbac2f9e1c32250f20ccd2bd005515d1ba1bf50f66fc7ccb7ba77a890962af2eb39198d9a5e6c5b1563bc1541fbfad25e80c57ed6a5989

      • C:\Users\Admin\AppData\Local\Temp\TarE1DE.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat

        Filesize

        153B

        MD5

        483005d6b92b516b1564868184cddb86

        SHA1

        59dbb37843bbdfafef6b1be8123ed228493968ba

        SHA256

        1a668230519b3f83596da41024b12550b92e39acbb029995eb3f29fde3994fd0

        SHA512

        7fa093f068b6a9a10f1078927ef3f7d06ca2024d388bdcb948b01180e468f4ab560ebe06716d4c45c274c6f8c159767358ede6178182a78fdfa6e667c857fff5

      • C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

        Filesize

        48KB

        MD5

        7fd8581748cdf137023ef96f1286ce0f

        SHA1

        c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a

        SHA256

        0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6

        SHA512

        bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

      • C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

        Filesize

        1.2MB

        MD5

        4876ee75ce2712147c41ff1277cd2d30

        SHA1

        3733dc92318f0c6b92cb201e49151686281acda6

        SHA256

        bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed

        SHA512

        9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

      • memory/1516-416-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

        Filesize

        256KB

      • memory/1516-393-0x0000000000510000-0x000000000051A000-memory.dmp

        Filesize

        40KB

      • memory/1516-373-0x00000000064E0000-0x000000000657C000-memory.dmp

        Filesize

        624KB

      • memory/1516-396-0x0000000072E60000-0x000000007354E000-memory.dmp

        Filesize

        6.9MB

      • memory/1516-392-0x0000000004690000-0x00000000046D0000-memory.dmp

        Filesize

        256KB

      • memory/1516-397-0x0000000005490000-0x00000000054F2000-memory.dmp

        Filesize

        392KB

      • memory/1516-355-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

        Filesize

        256KB

      • memory/1516-354-0x0000000072E60000-0x000000007354E000-memory.dmp

        Filesize

        6.9MB

      • memory/1516-353-0x00000000008B0000-0x00000000008C2000-memory.dmp

        Filesize

        72KB

      • memory/1732-246-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/1732-336-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/1732-337-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

        Filesize

        1024KB

      • memory/1732-231-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

        Filesize

        1024KB

      • memory/2240-1-0x00000000030B0000-0x00000000031B0000-memory.dmp

        Filesize

        1024KB

      • memory/2240-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

        Filesize

        4KB

      • memory/2240-17-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2240-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2240-2-0x0000000000220000-0x000000000028F000-memory.dmp

        Filesize

        444KB

      • memory/2240-19-0x00000000030B0000-0x00000000031B0000-memory.dmp

        Filesize

        1024KB

      • memory/2548-33-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2548-34-0x00000000030B0000-0x00000000031B0000-memory.dmp

        Filesize

        1024KB

      • memory/2548-230-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2548-20-0x00000000030B0000-0x00000000031B0000-memory.dmp

        Filesize

        1024KB

      • memory/2548-352-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2548-21-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2548-57-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2548-32-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2916-298-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

        Filesize

        72KB

      • memory/2916-338-0x0000000004BC0000-0x0000000004C00000-memory.dmp

        Filesize

        256KB

      • memory/2916-348-0x00000000729A0000-0x000000007308E000-memory.dmp

        Filesize

        6.9MB

      • memory/2916-299-0x00000000729A0000-0x000000007308E000-memory.dmp

        Filesize

        6.9MB

      • memory/2936-194-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/2936-54-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

        Filesize

        1024KB

      • memory/2936-55-0x00000000002B0000-0x00000000002E5000-memory.dmp

        Filesize

        212KB

      • memory/2936-56-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/2936-195-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/2936-196-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

        Filesize

        1024KB