Windows
Analysis Report
5GPueTFF2S.exe
Overview
General Information
Detection
Amadey, Vidar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Amadeys stealer DLL
Malicious sample detected (through community Yara rule)
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Self deletion via cmd or bat file
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Drops PE files
Uses cacls to modify the permissions of files
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
5GPueTFF2S.exe (PID: 5848 cmdline:
C:\Users\u ser\Deskto p\5GPueTFF 2S.exe MD5: 7D124BC23BE85D73B1177143F41B5E72) 75873290272674793137.exe (PID: 6132 cmdline:
"C:\Progra mData\7587 3290272674 793137.exe " MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B) gntuud.exe (PID: 5292 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\03bd54 3fce\gntuu d.exe" MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B) schtasks.exe (PID: 5724 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /SC MIN UTE /MO 1 /TN gntuud .exe /TR " C:\Users\u ser\AppDat a\Local\Te mp\03bd543 fce\gntuud .exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04) conhost.exe (PID: 5768 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 3644 cmdline:
"C:\Window s\System32 \cmd.exe" /k echo Y| CACLS "gnt uud.exe" / P "user:N" &&CACLS "g ntuud.exe" /P "user: R" /E&&ech o Y|CACLS "..\03bd54 3fce" /P " user:N"&&C ACLS "..\0 3bd543fce" /P "user: R" /E&&Exi t MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 2160 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 4628 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) cacls.exe (PID: 3856 cmdline:
CACLS "gnt uud.exe" / P "user:N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) cacls.exe (PID: 4760 cmdline:
CACLS "gnt uud.exe" / P "user:R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) cmd.exe (PID: 4384 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho Y" MD5: F3BDBE3BB6F734E357235F4D5898582D) cacls.exe (PID: 5932 cmdline:
CACLS "..\ 03bd543fce " /P "user :N" MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) cacls.exe (PID: 4532 cmdline:
CACLS "..\ 03bd543fce " /P "user :R" /E MD5: 4CBB1C027DF71C53A8EE4C855FD35B25) rundll32.exe (PID: 5968 cmdline:
"C:\Window s\System32 \rundll32. exe" C:\Us ers\user\A ppData\Roa ming\c33e9 ad058e5d3\ cred64.dll , Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) cmd.exe (PID: 5576 cmdline:
"C:\Window s\System32 \cmd.exe" /c timeout /t 6 & de l /f /q "C :\Users\us er\Desktop \5GPueTFF2 S.exe" & e xit MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) timeout.exe (PID: 3216 cmdline:
timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
gntuud.exe (PID: 5956 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\03bd543 fce\gntuud .exe MD5: 2239A58CC93FD94DC2806CE7F6AF0A0B)
- cleanup
{"C2 url": "85.209.135.109/jg94cVd30f/index.php", "Version": "3.50"}
{"C2 url": ["http://135.181.10.220:80", "https://t.me/vmt001"], "Botnet": "1760", "Version": "56.1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Amadey | Yara detected Amadey bot | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_Amadey_2 | Yara detected Amadey\'s stealer DLL | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 9 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
JoeSecurity_Vidar_1 | Yara detected Vidar stealer | Joe Security | ||
Click to see the 8 entries |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Compliance |
---|