Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe
Overview
General Information
Detection
Amadey, RisePro Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe (PID: 2696 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.W in32.Troja nX-gen.263 49.27730.e xe MD5: B1C4BE84E40E10B9FF3EB14074B402AF) - schtasks.exe (PID: 2716 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 HR " /sc HOUR LY /rl HIG HEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 4128 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MPGPH131\ MPGPH131.e xe" /tn "M PGPH131 LG " /sc ONLO GON /rl HI GHEST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 2200 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - uZN1wC5UClYhYsdlFwua.exe (PID: 7428 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\heidiq KHFva9A6Sy V\uZN1wC5U ClYhYsdlFw ua.exe" MD5: 150ACBEA78ED677FDE9DD1205A2C19CE) - chrome.exe (PID: 7468 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.youtub e.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7996 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2332 --fi eld-trial- handle=224 0,i,139213 9122239348 3847,47617 1645276905 2744,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7504 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.linked in.com/log in MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8008 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2188 --fi eld-trial- handle=193 6,i,947094 4878376775 622,928216 4384408437 932,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7596 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.facebo ok.com/vid eo MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8376 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2080 --fi eld-trial- handle=203 2,i,149260 4900245256 1155,80589 7399525059 0253,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8088 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// accounts.g oogle.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8804 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2028 --fi eld-trial- handle=198 8,i,526186 1388896760 932,161483 8649806707 2536,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - msedge.exe (PID: 8936 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /www.youtu be.com MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9400 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 88 --field -trial-han dle=2000,i ,176813211 1865368519 ,423306786 3729302844 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9088 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /www.faceb ook.com/vi deo MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9560 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=21 28 --field -trial-han dle=2040,i ,424203224 4317925949 ,135822604 6821193667 7,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 7660 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" https:/ /accounts. google.com MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9944 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=10 44 --field -trial-han dle=1980,i ,742999292 8385286623 ,779356326 2023415806 ,262144 /p refetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F) - chrome.exe (PID: 7812 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://www.yo utube.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 8788 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://www.fa cebook.com /video MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 9832 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" http s://accoun ts.google. com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - firefox.exe (PID: 10156 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://www.y outube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 8004 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://www.f acebook.co m/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 9720 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - schtasks.exe (PID: 5840 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV131\MSIU pdaterV131 .exe" /tn "MSIUpdate rV131 HR" /sc HOURLY /rl HIGHE ST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 9484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 10236 cmdline:
schtasks / create /f /RU "user" /tr "C:\P rogramData \MSIUpdate rV131\MSIU pdaterV131 .exe" /tn "MSIUpdate rV131 LG" /sc ONLOGO N /rl HIGH EST MD5: 48C2FE20575769DE916F48EF0676A965) - conhost.exe (PID: 8500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- MPGPH131.exe (PID: 7108 cmdline:
C:\Program Data\MPGPH 131\MPGPH1 31.exe MD5: B1C4BE84E40E10B9FF3EB14074B402AF)
- MPGPH131.exe (PID: 2952 cmdline:
C:\Program Data\MPGPH 131\MPGPH1 31.exe MD5: B1C4BE84E40E10B9FF3EB14074B402AF)
- RageMP131.exe (PID: 1576 cmdline:
"C:\Users\ user\AppDa ta\Local\R ageMP131\R ageMP131.e xe" MD5: B1C4BE84E40E10B9FF3EB14074B402AF)
- RageMP131.exe (PID: 7536 cmdline:
"C:\Users\ user\AppDa ta\Local\R ageMP131\R ageMP131.e xe" MD5: B1C4BE84E40E10B9FF3EB14074B402AF)
- svchost.exe (PID: 8040 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- msedge.exe (PID: 9752 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --flag- switches-b egin --fla g-switches -end --dis able-nacl --do-not-d e-elevate https://ww w.youtube. com MD5: 69222B8101B0601CC6663F8381E7E00F) - msedge.exe (PID: 9856 cmdline:
"C:\Progra m Files (x 86)\Micros oft\Edge\A pplication \msedge.ex e" --type= utility -- utility-su b-type=net work.mojom .NetworkSe rvice --la ng=en-GB - -service-s andbox-typ e=none --m ojo-platfo rm-channel -handle=24 28 --field -trial-han dle=2068,i ,259446474 5236278957 ,172159549 2435481747 3,262144 / prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
- firefox.exe (PID: 10840 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://www.y outube.com --attempt ing-deelev ation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 10932 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://www.y outube.com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 10664 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" -co ntentproc --channel= 2256 -pare ntBuildID 2023092723 2528 -pref sHandle 21 56 -prefMa pHandle 21 72 -prefsL en 25308 - prefMapSiz e 237879 - win32kLock edDown -ap pDir "C:\P rogram Fil es\Mozilla Firefox\b rowser" - {9141712d- 886b-4ac1- 89cb-a74a5 9119952} 1 0932 "\\.\ pipe\gecko -crash-ser ver-pipe.1 0932" 2ddd 776e910 so cket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- firefox.exe (PID: 10948 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://www.f acebook.co m/video -- attempting -deelevati on MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 11052 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://www.f acebook.co m/video MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- firefox.exe (PID: 10992 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com --att empting-de elevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045) - firefox.exe (PID: 11060 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\firefo x.exe" htt ps://accou nts.google .com MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- MSIUpdaterV131.exe (PID: 10372 cmdline:
C:\Program Data\MSIUp daterV131\ MSIUpdater V131.exe MD5: BF01128C8361CDDD4EF77CBCA07E0F5B)
- MSIUpdaterV131.exe (PID: 10716 cmdline:
C:\Program Data\MSIUp daterV131\ MSIUpdater V131.exe MD5: BF01128C8361CDDD4EF77CBCA07E0F5B)
- AdobeUpdaterV131.exe (PID: 10516 cmdline:
"C:\Users\ user\AppDa ta\Local\A dobeUpdate rV131\Adob eUpdaterV1 31.exe" MD5: BF01128C8361CDDD4EF77CBCA07E0F5B)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_RiseProStealer | Yara detected RisePro Stealer | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Source: | Author: vburov: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Code function: | 0_2_0008FFC0 | |
Source: | Code function: | 0_2_0008FEE0 | |
Source: | Code function: | 6_2_005DFFC0 | |
Source: | Code function: | 6_2_005DFEE0 |
Source: | Static PE information: |
Source: | Code function: | 0_2_0007C050 | |
Source: | Code function: | 0_2_0014B4E5 |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Memory has grown: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Code function: | 0_2_0008DBB0 |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |