Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 04:29

General

  • Target

    11dcd8e017b0e067e922cfb6507a8dde.exe

  • Size

    421KB

  • MD5

    11dcd8e017b0e067e922cfb6507a8dde

  • SHA1

    80c4e499c9666401a0f9099482c7fa9debe006d5

  • SHA256

    2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

  • SHA512

    52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

  • SSDEEP

    6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes
  • install_dir

    154561dcbf

  • install_file

    Dctooux.exe

  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Extracted

Family

vidar

C2

https://steamcommunity.com/profiles/76561199673019888

https://t.me/irfail

Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

94.228.162.82:6606

94.228.162.82:7707

94.228.162.82:8808

Mutex

YBc01FE5mcOd

Attributes
  • delay

    3

  • install

    true

  • install_file

    appBroker.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Vidar Stealer 7 IoCs
  • Detect ZGRat V1 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe
    "C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
      "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe
        "C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:1676
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main
        3⤵
        • Loads dropped DLL
        PID:2988
      • C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
        "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
        3⤵
          PID:3032
        • C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe
          "C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"
          3⤵
          • Executes dropped EXE
          • Modifies system certificate store
          PID:1568
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main
          3⤵
          • Loads dropped DLL
          PID:1744
        • C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe
          "C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2156
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:904
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'
              5⤵
              • Creates scheduled task(s)
              PID:612
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat""
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1696
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:336
            • C:\Users\Admin\AppData\Roaming\appBroker.exe
              "C:\Users\Admin\AppData\Roaming\appBroker.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1668
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
            4⤵
              PID:912
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
            3⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:1748

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        ba8466e6a98783b9cd358a187ae9e2c3

        SHA1

        fcba75fd251d63927548533f6cd91efb787da9f4

        SHA256

        4dc6be2875e9490a5083696960034d110b338e3a297aad6fa24d01112d2137c0

        SHA512

        15578005c572757dffbc87d9f46699b19bec976a267206f24ebe80161690c0046170bcca1e3ef5a433b9fdbd545c3723243d1a9cea0d8f9cd804deb52eddecb9

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        27cc178f86f92ba0f0b7d0c856e2f7fb

        SHA1

        aef1c0aed6485f3a452ad54bb89d0d00427ce547

        SHA256

        bac1a65ec671e8b9d638cb92af49a50dae0a616e3c878964d184049ce3b9bf76

        SHA512

        420d37ee8879b97826b87f1b0a000bd5bfaf29c625013e984499422b2c5cc2a2c1a5c80ea8384ab9a78966bf4c417d97e447879c99be2bd72e4784f2447e6d8c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        1b094ac37678943d494ba78ea70d267f

        SHA1

        23a839bbc379f4982b40b6cd4c395eb833ab783c

        SHA256

        eb32d62b3166b37c27135316d47349515adb3922770f109e9dc0a1e8956949f1

        SHA512

        6c48ba445cf04c70833d39dd7127b259189b62f6fa33fe9b4ddbe9126754af4e4d4c62923d74cb053a4785295ba4cb00631bc6b9f9d84f13d439280de24ef58e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\76561199673019888[1].htm

        Filesize

        33KB

        MD5

        1bcc95b1087b78e7278d381e624f2e1e

        SHA1

        44892824fcea1ff66e4803b822426abac3edd118

        SHA256

        ed1f88d3c68ce12c34981e84852b518fb90c30b039a7eee57638e970476dac06

        SHA512

        187f931f6f70e56b51b1d1815d640009a463d34f654e471ea53b8f0adc5166bcf4e6e4eac570569d3d82bb87d02c08c0859606b4262d0580b76a100fa222649f

      • C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe

        Filesize

        300KB

        MD5

        b099ea0b80ecf49caa0d7003e0c95071

        SHA1

        228a2aec5cf27fd0fca1f23161257f86bd8359ca

        SHA256

        810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92

        SHA512

        539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029

      • C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll

        Filesize

        243KB

        MD5

        37976db9d0e6f8bf9db5ae4b56006d9d

        SHA1

        dda3158d09c332c054d01fa08ad9824cb00c7d6a

        SHA256

        2570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687

        SHA512

        fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47

      • C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

        Filesize

        421KB

        MD5

        11dcd8e017b0e067e922cfb6507a8dde

        SHA1

        80c4e499c9666401a0f9099482c7fa9debe006d5

        SHA256

        2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70

        SHA512

        52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0

      • C:\Users\Admin\AppData\Local\Temp\721934792624

        Filesize

        71KB

        MD5

        b5c30c2e48b60f04ef5caffd4b786f6c

        SHA1

        7db19584bbb17ee7fba43f4798b4b9e781406c0c

        SHA256

        9a45b114e16fe039d6e4f9ed3ec040dd4c3674744cc63bb8398ef63623272966

        SHA512

        c674e6c22d6945e2f616fb7dcc8682b2a79bb12d531aa0abd98706fceb4ed3713166888d1ce069030cc2390b15de9d1923aac9ecc1ac7464e92037af3c837d06

      • C:\Users\Admin\AppData\Local\Temp\TarA04C.tmp

        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      • C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat

        Filesize

        152B

        MD5

        3b007eaf577c6c2c056f08bc120533c7

        SHA1

        5b8c707bab3cdc69f1d7078a11799958608d9e63

        SHA256

        fdef3e1ebe873d7757b1f34a0d71a4687c35b9271672aa3e38a7d7e9cb4917f3

        SHA512

        c28672c0c4929da44a991b706daccbe91199ab263750008e3f030f2193d6f522ba6868808d55ee0b3a35098b8ec4873df9d04de84a7d54efd27e89c8e8a97e36

      • C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe

        Filesize

        48KB

        MD5

        7fd8581748cdf137023ef96f1286ce0f

        SHA1

        c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a

        SHA256

        0b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6

        SHA512

        bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282

      • C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

        Filesize

        109KB

        MD5

        ca684dc5ebed4381701a39f1cc3a0fb2

        SHA1

        8c4a375aa583bd1c705597a7f45fd18934276770

        SHA256

        b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

        SHA512

        8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

      • C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

        Filesize

        432KB

        MD5

        5b4af32e0442d4558a0274d634bd9159

        SHA1

        f5791272526b24671b0130a7559fdf86b89016aa

        SHA256

        496eea519c2b6efae4d7b2b08cc1e81ab9d03c152b61beb084967fb7e1c981b5

        SHA512

        650f40a79fd99b0f5f302364f5914ab877c7f6d04f00cdf1d5ddb1bea9bb740f5ccdae87e7ff2b3acf09ed2ab3d673ee28eb0ff66ff101072534c113d5a93e82

      • memory/1568-324-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/1568-325-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

        Filesize

        1024KB

      • memory/1568-233-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/1568-219-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

        Filesize

        1024KB

      • memory/1668-343-0x0000000004DF0000-0x0000000004E30000-memory.dmp

        Filesize

        256KB

      • memory/1668-404-0x0000000004DF0000-0x0000000004E30000-memory.dmp

        Filesize

        256KB

      • memory/1668-385-0x00000000057D0000-0x0000000005832000-memory.dmp

        Filesize

        392KB

      • memory/1668-384-0x0000000073260000-0x000000007394E000-memory.dmp

        Filesize

        6.9MB

      • memory/1668-381-0x0000000000D10000-0x0000000000D1A000-memory.dmp

        Filesize

        40KB

      • memory/1668-380-0x0000000000D60000-0x0000000000DA0000-memory.dmp

        Filesize

        256KB

      • memory/1668-361-0x00000000053E0000-0x000000000547C000-memory.dmp

        Filesize

        624KB

      • memory/1668-342-0x0000000073260000-0x000000007394E000-memory.dmp

        Filesize

        6.9MB

      • memory/1668-340-0x0000000001340000-0x0000000001352000-memory.dmp

        Filesize

        72KB

      • memory/1676-55-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/1676-54-0x0000000000230000-0x0000000000265000-memory.dmp

        Filesize

        212KB

      • memory/1676-184-0x0000000000400000-0x0000000002C2E000-memory.dmp

        Filesize

        40.2MB

      • memory/1676-53-0x0000000002D80000-0x0000000002E80000-memory.dmp

        Filesize

        1024KB

      • memory/1740-17-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/1740-20-0x0000000000300000-0x000000000036F000-memory.dmp

        Filesize

        444KB

      • memory/1740-18-0x0000000002E20000-0x0000000002F20000-memory.dmp

        Filesize

        1024KB

      • memory/1740-2-0x0000000000300000-0x000000000036F000-memory.dmp

        Filesize

        444KB

      • memory/1740-3-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/1740-1-0x0000000002E20000-0x0000000002F20000-memory.dmp

        Filesize

        1024KB

      • memory/1740-5-0x0000000004620000-0x0000000004621000-memory.dmp

        Filesize

        4KB

      • memory/2156-326-0x0000000004BE0000-0x0000000004C20000-memory.dmp

        Filesize

        256KB

      • memory/2156-335-0x0000000072DA0000-0x000000007348E000-memory.dmp

        Filesize

        6.9MB

      • memory/2156-251-0x0000000072DA0000-0x000000007348E000-memory.dmp

        Filesize

        6.9MB

      • memory/2156-249-0x0000000001380000-0x0000000001392000-memory.dmp

        Filesize

        72KB

      • memory/2792-22-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-33-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-34-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-35-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

        Filesize

        1024KB

      • memory/2792-218-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-143-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-341-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-415-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB

      • memory/2792-21-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

        Filesize

        1024KB

      • memory/2792-429-0x0000000000400000-0x0000000002C4C000-memory.dmp

        Filesize

        40.3MB