Overview

overview

10

Static

static

3

c92ec1cea5...f3.exe

windows7-x64

10

c92ec1cea5...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/04/2024, 01:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe

  • Size

    436KB

  • MD5

    f6ee2a295cd2ba584f9a363ade3d55b3

  • SHA1

    c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c

  • SHA256

    c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3

  • SHA512

    7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b

  • SSDEEP

    6144:vZLBvj27DEXhnzCaknvrhHq6p5Km/OZ2iqzUhYA0FvYgtv3EagG64/dAdUcgf:hd72YmQ/mWZUzGUvYgt8FGBxcg

Score
10/10
amadeyspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.19

Attributes
  • install_dir

    cbb1d94791

  • install_file

    Dctooux.exe

  • strings_key

    fcebaf717c71f51f8908b537784e2bee

  • url_paths

    /8bjndDcoA3/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
    "C:\Users\Admin\AppData\Local\Temp\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe
      "C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
              PID:1392
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\309405411416_Desktop.zip' -CompressionLevel Optimal
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2764
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          PID:880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\309405411416
      Filesize

      67KB

      MD5

      78ce59ef71f555ef09e9706cc85e20eb

      SHA1

      1c0d07ad3caf255d3a4736b64ba6b3506841aeaa

      SHA256

      8f0216c63bf1aab2e65e1501cc0d4cc8b4995158be7f0023be0891d64fcd8cd4

      SHA512

      c67886b7b25d25c79429d9c38605b94a22f2e71b00d9cea00a83d5bf0040ea1cfafc88517cef470de5c5f2f4a36324402d0a54c92a90da1704233a241e9497df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe
      Filesize

      436KB

      MD5

      f6ee2a295cd2ba584f9a363ade3d55b3

      SHA1

      c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c

      SHA256

      c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3

      SHA512

      7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
      Filesize

      109KB

      MD5

      647ac550e51ad6d7e47a6f1e94e11fd2

      SHA1

      433991b760cbfd265d45240891300c3652aefe6f

      SHA256

      4d743335ff8cdf1e505f4bd82b0efafde077b9bf0f88a615db99feada880e3ba

      SHA512

      5a2905133e53490dcfdad84b65525f2925d1e82a609ad0ff551d8d90a3c61a3a58b370056b84aa5c33db71f49fffb86e58284dc317a3541d6f5572438e428bfb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
      Filesize

      1.2MB

      MD5

      877cb2f10c78a046d81f678f88d7a6a1

      SHA1

      0ecc4a6282a412802756dc5bfd1e60cf789f2687

      SHA256

      2caf66964f582a9a1add1f13205f8797f2f4e791d980000ea6b55c719c174ed2

      SHA512

      9a8ea29fcfcf2a4e274095819ba27261bf551c976b697ccc6fe0598d13c309042e317ec8a32d2a9dec38ebd8223fc6c9e08daf5c611cdc72c11c8fe91baf3399

      Download Submit

    • memory/1544-19-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1544-3-0x0000000000400000-0x0000000002C4F000-memory.dmp

      Filesize

      40.3MB

      Download

    • memory/1544-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1544-20-0x0000000002CC0000-0x0000000002D2F000-memory.dmp

      Filesize

      444KB

      Download

    • memory/1544-2-0x0000000002CC0000-0x0000000002D2F000-memory.dmp

      Filesize

      444KB

      Download

    • memory/1544-17-0x0000000000400000-0x0000000002C4F000-memory.dmp

      Filesize

      40.3MB

      Download

    • memory/1544-5-0x00000000044E0000-0x00000000044E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2764-57-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2764-63-0x00000000023D0000-0x0000000002450000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2764-55-0x000000001B2A0000-0x000000001B582000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2764-56-0x0000000002310000-0x0000000002318000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2764-64-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2764-58-0x00000000023D0000-0x0000000002450000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2764-59-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2764-60-0x00000000023D0000-0x0000000002450000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2764-61-0x00000000023D0000-0x0000000002450000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2916-62-0x0000000002D70000-0x0000000002E70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2916-33-0x0000000000400000-0x0000000002C4F000-memory.dmp

      Filesize

      40.3MB

      Download

    • memory/2916-22-0x0000000000400000-0x0000000002C4F000-memory.dmp

      Filesize

      40.3MB

      Download

    • memory/2916-65-0x0000000000400000-0x0000000002C4F000-memory.dmp

      Filesize

      40.3MB

      Download

    • memory/2916-21-0x0000000002D70000-0x0000000002E70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2916-80-0x0000000000400000-0x0000000002C4F000-memory.dmp

      Filesize

      40.3MB

      Download