Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-04-2024 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe

  • Size

    1.9MB

  • MD5

    07cef615474a090cb5f7796b6ffed613

  • SHA1

    b9e912c5305acd8b06eb6642b247fa14f70123e2

  • SHA256

    949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9

  • SHA512

    bae595c50567a3e4c56a8e486189153075b0dc95c3b29e3e9be14954bd2337129c8a0618e467ee27a96f9518258b10b051e57a174fa04991ed9a11519e9ffd28

  • SSDEEP

    49152:FTnrnfpQW41aKqXFaj0Ur6hFjBGu9Fw50fSx0dFK+Z1u:Zrd44Kqwz6TjB9U50fNn

Score
10/10
amadeyevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe
    "C:\Users\Admin\AppData\Local\Temp\949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1520
  • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\system32\netsh.exe
          netsh wlan show profiles
          4⤵
            PID:3492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\263309122282_Desktop.zip' -CompressionLevel Optimal
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1408

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    2
    T1552.001

    Credentials in Registry

    1
    T1552.002

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
      Filesize

      1.9MB

      MD5

      07cef615474a090cb5f7796b6ffed613

      SHA1

      b9e912c5305acd8b06eb6642b247fa14f70123e2

      SHA256

      949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9

      SHA512

      bae595c50567a3e4c56a8e486189153075b0dc95c3b29e3e9be14954bd2337129c8a0618e467ee27a96f9518258b10b051e57a174fa04991ed9a11519e9ffd28

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfjqhzfc.k4u.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
      Filesize

      109KB

      MD5

      154c3f1334dd435f562672f2664fea6b

      SHA1

      51dd25e2ba98b8546de163b8f26e2972a90c2c79

      SHA256

      5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

      SHA512

      1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

      Download Submit
    • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
      Filesize

      1.2MB

      MD5

      f35b671fda2603ec30ace10946f11a90

      SHA1

      059ad6b06559d4db581b1879e709f32f80850872

      SHA256

      83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

      SHA512

      b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

      Download Submit
    • memory/1520-8-0x0000000005330000-0x0000000005331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-3-0x0000000005350000-0x0000000005351000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-7-0x0000000005320000-0x0000000005321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-6-0x0000000005390000-0x0000000005391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-0-0x0000000000BA0000-0x0000000001078000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1520-9-0x0000000005380000-0x0000000005381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-10-0x00000000053B0000-0x00000000053B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-11-0x00000000053A0000-0x00000000053A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-16-0x0000000000BA0000-0x0000000001078000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1520-5-0x0000000005340000-0x0000000005341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-4-0x0000000005360000-0x0000000005361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1520-2-0x0000000000BA0000-0x0000000001078000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1520-1-0x0000000077D56000-0x0000000077D58000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2276-29-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-78-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-24-0x0000000004D70000-0x0000000004D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-25-0x0000000004D80000-0x0000000004D81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-26-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-27-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-28-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-23-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-30-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-22-0x0000000004D90000-0x0000000004D91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-87-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-86-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-85-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-20-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-84-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-83-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-82-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-81-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-80-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-65-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-19-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-77-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2276-21-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-79-0x00000000002F0000-0x00000000007C8000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2328-64-0x00007FFE2D550000-0x00007FFE2E012000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2328-58-0x000001FEAB9C0000-0x000001FEAB9CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2328-57-0x000001FEC4120000-0x000001FEC4132000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2328-56-0x000001FEAB980000-0x000001FEAB990000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2328-55-0x000001FEAB980000-0x000001FEAB990000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2328-52-0x000001FEAB990000-0x000001FEAB9B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2328-53-0x00007FFE2D550000-0x00007FFE2E012000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2328-54-0x000001FEAB980000-0x000001FEAB990000-memory.dmp
      Filesize

      64KB

      Download