Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 756293
MD5: efbdd62a08b28e63464f97d0600eaef8
SHA1: ee2037450f52a6095cd4365b0035072ee52bd7c2
SHA256: 3c96f5e66f70af3b7340f1d26163a6f299f6e48e53915f3e5a2d0d8402c15b15
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 37% Perma Link
Antivirus detection for URL or domain
Source: 193.56.146.194/h49vlBP/index.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: 193.56.146.194/h49vlBP/index.php Virustotal: Detection: 12% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll Virustotal: Detection: 83% Perma Link
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Virustotal: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll Virustotal: Detection: 83% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Joe Sandbox ML: detected
Source: 5.3.rovwer.exe.2110000.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "193.56.146.194/h49vlBP/index.php", "Version": "3.50"}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 2.2.file.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: rovwer.exe, rovwer.exe, 00000008.00000002.314799579.0000000000400000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: C:\xanegowituzimu\huyikuvicumi gevutojucirome_wemeluf-41\num.pdb source: file.exe, rovwer.exe.2.dr
Source: Binary string: FC:\xanegowituzimu\huyikuvicumi gevutojucirome_wemeluf-41\num.pdb0f source: file.exe, rovwer.exe.2.dr
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00420BA6 FindFirstFileExW, 2_2_00420BA6
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00420BA6 FindFirstFileExW, 8_2_00420BA6

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.5 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.56.146.194 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 193.56.146.194/h49vlBP/index.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.56.146.194 193.56.146.194
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00404180 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_00404180
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,VirtualProtect,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown, 2_2_00402C70
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000002.00000002.299199463.000000000072A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.315094938.000000000069E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000002.298616677.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.315045334.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000002.00000002.299234828.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000008.00000002.315094938.000000000069E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000002.298616677.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.315045334.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000002.00000002.299234828.0000000000739000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040CBD0 2_2_0040CBD0
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00429470 2_2_00429470
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0042848D 2_2_0042848D
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00432890 2_2_00432890
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_0040CBD0 8_2_0040CBD0
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00429470 8_2_00429470
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_0042848D 8_2_0042848D
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00432890 8_2_00432890
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00418C40 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: String function: 00416F50 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: String function: 00418C40 appears 40 times
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: rovwer.exe.2.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process Stats: CPU usage > 98%
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll DE81531468982B689451E85D249214D0AA484E2FFEDFD32C58D43CF879F29DED
Source: file.exe Virustotal: Detection: 37%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe"
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe File created: C:\Users\user\AppData\Roaming\bf045808586a24 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\50c1695437 Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@9/5@0/2
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0073A19E CreateToolhelp32Snapshot,Module32First, 2_2_0073A19E
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\8bc64fd16a296ed5241c82ceefa4b079
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Mutant created: \Sessions\1\BaseNamedObjects\bf045808586a2473c5a7441da6f3bfa9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_01
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: rovwer.exe, rovwer.exe, 00000008.00000002.314799579.0000000000400000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: C:\xanegowituzimu\huyikuvicumi gevutojucirome_wemeluf-41\num.pdb source: file.exe, rovwer.exe.2.dr
Source: Binary string: FC:\xanegowituzimu\huyikuvicumi gevutojucirome_wemeluf-41\num.pdb0f source: file.exe, rovwer.exe.2.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 2.2.file.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 2.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418C86 push ecx; ret 2_2_00418C99
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0073F22D push 54850227h; ret 2_2_0073F286
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0073D360 push cs; ret 2_2_0073D37C
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0073ACB7 pushfd ; ret 2_2_0073ACB8
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00418C86 push ecx; ret 8_2_00418C99

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: 00000005.00000003.343604843.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343786461.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe File created: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" /F
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe TID: 4332 Thread sleep time: -900000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe TID: 5072 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe TID: 2824 Thread sleep time: -1620000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe TID: 3124 Thread sleep time: -1440000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe TID: 2824 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe TID: 4332 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 180000 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 5.5 %
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe API coverage: 3.8 %
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 2_2_00405400
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00420BA6 FindFirstFileExW, 2_2_00420BA6
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00420BA6 FindFirstFileExW, 8_2_00420BA6
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Thread delayed: delay time: 30000 Jump to behavior
Source: rundll32.exe, 00000009.00000003.307896414.0000000000A54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvA
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00418A67
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree, 2_2_004037D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041B901 mov eax, dword ptr fs:[00000030h] 2_2_0041B901
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041DF02 mov eax, dword ptr fs:[00000030h] 2_2_0041DF02
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00739A7B push dword ptr fs:[00000030h] 2_2_00739A7B
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_0041B901 mov eax, dword ptr fs:[00000030h] 8_2_0041B901
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_0041DF02 mov eax, dword ptr fs:[00000030h] 8_2_0041DF02
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00418163
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00418A67
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041CA80
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418BCC SetUnhandledExceptionFilter, 2_2_00418BCC
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00418163
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00418A67
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0041CA80
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Code function: 8_2_00418BCC SetUnhandledExceptionFilter, 8_2_00418BCC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.5 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 193.56.146.194 80 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00403F40 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree, 2_2_00403F40
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00404350 ShellExecuteA, 2_2_00404350
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\50c1695437\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418887 cpuid 2_2_00418887
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00418CA1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00418CA1
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00424BC4 _free,_free,_free,GetTimeZoneInformation,_free, 2_2_00424BC4
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 2_2_00405400
Source: C:\Users\user\Desktop\file.exe Code function: 2_2_0040CBD0 GetUserNameA,SetCurrentDirectoryA,GetFileAttributesA,CreateDirectoryA,GetFileAttributesA,GetModuleFileNameA,SetCurrentDirectoryA,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, 2_2_0040CBD0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, type: DROPPED
Yara detected Amadey bot
Source: Yara match File source: 00000005.00000003.343604843.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.343786461.0000000000674000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756293 Sample: file.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 8 file.exe 4 2->8         started        12 rovwer.exe 2->12         started        process3 file4 27 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 8->27 dropped 29 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 8->29 dropped 63 Detected unpacking (changes PE section rights) 8->63 65 Detected unpacking (overwrites its own PE header) 8->65 67 Contains functionality to inject code into remote processes 8->67 14 rovwer.exe 18 8->14         started        signatures5 process6 dnsIp7 37 193.56.146.194 LVLT-10753US unknown 14->37 31 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 14->31 dropped 33 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 14->33 dropped 39 Multi AV Scanner detection for dropped file 14->39 41 Creates an undocumented autostart registry key 14->41 43 Machine Learning detection for dropped file 14->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 14->45 19 rundll32.exe 14->19         started        23 schtasks.exe 1 14->23         started        file8 signatures9 process10 dnsIp11 35 192.168.2.5 unknown unknown 19->35 55 System process connects to network (likely due to code injection or exploit) 19->55 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->57 59 Tries to steal Instant Messenger accounts or passwords 19->59 61 2 other signatures 19->61 25 conhost.exe 23->25         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.56.146.194
 unknown unknown
10753 LVLT-10753US true

Private

IP
192.168.2.5

Contacted URLs

Name Malicious Antivirus Detection Reputation
193.56.146.194/h49vlBP/index.php true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 low