Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-12-2024 09:26
General
-
Target
Launcher.exe
-
Size
364KB
-
MD5
93fde4e38a84c83af842f73b176ab8dc
-
SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8
-
SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
-
SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
-
SSDEEP
6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Malware Config
Extracted
amadey
5.03
9c0a5d
http://185.208.158.116
http://185.209.162.226
http://zapsnn.com
-
install_dir
cdf9d60151
-
install_file
Gxtuum.exe
-
strings_key
5866d84c2de724a41612b3c391bae33f
-
url_paths
/bVoZEtTa1/index.php
/bVoZEtTa2/index.php
/bVoZEtTa3/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"3⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\services\winrar.exe"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01 C:\Users\Admin\AppData\Roaming\services5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Roaming\services\plugin342C:\Users\Admin\AppData\Roaming\services\plugin3425⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\services\plugin342"C:\Users\Admin\AppData\Roaming\services\plugin342"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\10000030111\e3f0dc6bcb.dll, Main7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f & exit6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f7⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\services\winrar.exe"C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02 C:\Users\Admin\AppData\Roaming\services\data5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Roaming\services\data\2plugin4325C:\Users\Admin\AppData\Roaming\services\data\2plugin43255⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\services\data\2plugin4325"C:\Users\Admin\AppData\Roaming\services\data\2plugin4325"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Roaming\services\plugin342C:\Users\Admin\AppData\Roaming\services\plugin3425⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\services\plugin342"C:\Users\Admin\AppData\Roaming\services\plugin342"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f & exit6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "CrowdstrikeEngine" /t REG_SZ /d "rundll32.exe C:\Users\Admin\AppData\Roaming\CiscoUpdater0009901.dll",EntryPoint /f7⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD534f019243f26b48a771bda3c3388c352
SHA136de5e5f6a82f0f6cf64fe087841fd3dc5d2fdf5
SHA2563700678b955237856f59c393453e33dbe5f873051178b7a2308087668aa3e621
SHA512d9fa2cedb461378c7e717ec1c4d9b31a76194c4a84377fe75373a7a5efef7109da754b827c30a856d99adef78c31dbf1c0dfa692fc2baf0dababab179f30449b
-
Filesize
342B
MD5786bda496c91fce9a4ec2d26065a3e56
SHA1400101de0763f598c6338837181cccdfea45a220
SHA256df2ec7f7a861aefa1165dd3e62e1b853df17d51b4fcf3b3c0797450e871ade0a
SHA512da7b3e6b462b3d8a1c6423b3ad98c9ffca9514ecd432f3cabee27ca852dd9d7c712ec112d267203e1709c82b3c0d7eac77d5eb9e0e611baf47a334b590149e36
-
Filesize
342B
MD5631ba8c6d552f5fe4231f1362e18ce24
SHA1a9c7d7b19d25911b43004517983d8fa08536e7ae
SHA256e24d34d235d1e7c20968cb9c63e136a737b8e78c1e86c8f1091d8e390348d979
SHA5123dc0ef938b8df812351e2d41009cf0c92ec01519edf538dc0b9b75e6328e0694d56b06f3d471a752205a02fb259c4c94d5449c2f7ebdb632bca8e840869e4b66
-
Filesize
22.4MB
MD55eaf0609175d5263d5a8ac9b0726f07c
SHA1ae8c1549cb2e52326304986470867050d1831ce8
SHA2561fef98b090448d2c0802e338641225f1d4152b2afb55e79e0b9b879d681369b7
SHA5121495ec27fac6591139d3837f471eed02dfca3baf47c6bc2f4b8b0a12e7fed99bd68c55b5bbd6976a180c39a293780884795946c7d89c4697f654ac4988c470ba
-
Filesize
11.2MB
MD5e33fa209c5cc5d192cfc3a5f8fe1ce05
SHA1b379e280ea40f025c43b824f506078e2a8b4b48e
SHA25669bdc4bd94b7f335225c804b3b3d4ecf05fc08de3e715dbf3e7df98c0364c780
SHA51236561390596040c8029c1b3a01420e286bdef46822d3e7735357604302a5ec9f53fdd51c80e10f7f180ca460f43c318e897125da20cf98ea22ce0fde1c84c518
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD5b4a2b3d810729e8f050541f8fbe665ed
SHA1eacbf33524c285a606e514a708594de3e37c98b2
SHA25629411b19bba3408c482cb7975cbe2e41d0876fa14c949dff3f6d4ddec41f11f6
SHA5122f7a6451602d43ea55fb2a353231746991e40014fb84682d70f9f6b238d98046a5c4b5ea918fd9ec9ea4634ec0f1c5c14bd9a0ade9ad50931709fd18d3597d92
-
Filesize
12B
MD514c1bd2f8e346fb43a6dc7e992fda5f8
SHA1b902ae00fbb4c2b936803d7a0fc28876a5d858f6
SHA25603b56c8caca8895ae5edb22b3a9b910fcf749211d0d1a11f700ca776de21e287
SHA5127c9bf62de75c1e47ff3eee12b8d410d67895d3a6144d269f147379d83911874d226301161d19f4a9b5fa8237a09e2d552896ba185f37c9139e06cab23e772802
-
Filesize
5.6MB
MD55377db404fce684c13e14f5e22e2ffcb
SHA1f23129fba59eec620cef0b5277dcce066f515ca5
SHA2568abec78570a9d71983a87f8f82e50d9e6a2ccd56e39d144b8eda2ffe09a58e6e
SHA512059dac872c1c8d65842b91359a7b840e85e14061f32aacdba0de3e968945bf5d8a36e7184c7c28f10f5fc5ee9a650ab49e61b9554a211123174401294190e04d
-
Filesize
6.0MB
MD54317da7f0bb34899a708cbe2dcedaa54
SHA1bef4efd6f1576fc08b63faefe3fb8a60ff127aeb
SHA25672651def1eee171810540cc5b44118692849e22f60e46f1eee67e06063af5aff
SHA5122fefb66930e7efdae48cc5b2a3eca53ebac0ef49225fa7265056537624e34aa38e09d01168aa67a92cdbc50f081b35e9240c56169759d13bb545825196a43bd7
-
Filesize
7.1MB
MD57a04dcd7388b330f4745f8de2bf9605f
SHA1ec746c2dc9b9f1c7667585a1fdc5769389d07b8b
SHA2566683f3e6c27fd2c204f5c5d9c9e202a50b226258a00ec0f4ed75b046be1c6110
SHA512104609c6b0a3ae8d12369d3c684d698bb009b3e849081be8d3c137d85993ae686e671abf1fa607cdc0b51fe21362fcf71cc1982eac8de31297561811eb19b37b
-
Filesize
2KB
MD5ab117f05d16af429ceeb2410593d54df
SHA1a962e8bc68293d8759be561eec09de5170148766
SHA2564daf580ce0f912b8a4f5e56e4721880792a8a4dca68495b5f2aafaf5e6ebad6d
SHA51207ac23a0906f544bd298e1931e4c6237082b8c46be987e62b69c3dc2899fbec2a9fb5eefd1a81eee665f65e42d3fe4c4400501edd66518e79d488e4b52d31ee3
-
Filesize
364KB
MD5e5c00b0bc45281666afd14eef04252b2
SHA13b6eecf8250e88169976a5f866d15c60ee66b758
SHA256542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
SHA5122bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387
-
Filesize
1KB
MD5f0fc065f7fd974b42093594a58a4baef
SHA1dbf28dd15d4aa338014c9e508a880e893c548d00
SHA256d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693
SHA5128bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe
-
Filesize
3.2MB
MD5fd2f2543267e88ee102de87a6385a1b0
SHA11d23637a34ac33c1f842749877acebd18c70f00b
SHA2563e76a6a04eb32e640a4f2873faf2028703307bb8a2620b94d71c2536b0b6c5fe
SHA512acc5f64688a34482fed7e7d133c435c94df37b0097ebb15c5d1a5631f8101e23cc092a9282f4ff84155c7972009b0b77c23eee38386f56de1e404e1d0e2cddc8
-
Filesize
4KB
MD5782da0b6fb776ba2bba525f767b6e078
SHA1548bb11b03a16d6f27daa99f7ff5ef45862f98fb
SHA2560742c6aab43f9be96d9e03fbee99d5f3bf6cdfddccde3726b61db3f0893d6d8a
SHA512466d26a2203035040b3e8f3e7b9406e4392537d5ee323c44f1f74339dbb39258216ee736002186c361358ceeb0503ed0461e41c15eb5b251d38bb24768958237
-
Filesize
364KB
MD593fde4e38a84c83af842f73b176ab8dc
SHA1e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA51248720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
-
Filesize
1KB
MD51b6de83d3f1ccabf195a98a2972c366a
SHA109f03658306c4078b75fa648d763df9cddd62f23
SHA256e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724
SHA512e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce
-
Filesize
5.7MB
MD5ce00e40cbce6d3267e210f12e4e87a43
SHA1388d00a34f419646a10de6aa028943892a0461dd
SHA256e2cf5cfcb918abd8a8b65b8e1d6090d975560b81a91dfaac3f8e4d4149caeb06
SHA512874049bcd9af9111111f972018fec5598d1e40bf41d9e4ff491c7b5bd730a25775438038a470655852d1eccf0ec9a1389c46f8c8243aa39edf0947244fdf005e
-
Filesize
2.7MB
MD5a0fab21c52fb92a79bc492d2eb91d1d6
SHA103d14da347c554669916d60e24bee1b540c2822e
SHA256e10f9d22cdbc39874ce875fd8031c3db26f58daf20ee8ae6a82de9ed2dfc7863
SHA512e37d3d09eef103bfe043c74921296c0b8195a3e43a3801340a9953f44f512e81acbc2051f0305a3a3f41bb98cd4587bb65c3b3a96d702b048199d24a120b446e
-
Filesize
2.1MB
MD5f59f4f7bea12dd7c8d44f0a717c21c8e
SHA117629ccb3bd555b72a4432876145707613100b3e
SHA256f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
SHA51244811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c
-
Filesize
4KB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
9.5MB
-
Filesize
9.5MB
-
Filesize
9.5MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
9.5MB
-
Filesize
584KB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
7.1MB
-
Filesize
9.5MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
9.5MB
-
Filesize
9.5MB
-
Filesize
9.5MB
-
Filesize
9.5MB
-
Filesize
9.5MB