File name:	BANDICUT.msi
Full analysis:	https://app.any.run/tasks/77c42a11-0424-4e80-87ea-7bcb7f0dde52
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 02, 2024, 13:56:54
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {4203B04D-806D-4EBE-BCFF-E19C0C1E195F}, Number of Words: 2, Subject: Windows Service Association, Author: Microsoft, Name of Creating Application: Windows Service Association, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Service Association., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:	087D510F4D69F6FAA479E4919F51A175
SHA1:	084C49D7C83B257AACF8C94B28B992C326A2AD09
SHA256:	1DD7892458EAB123C341452AFF6F4D817F290EFC7F8C97B76BDB78E1E1FCF8D2
SSDEEP:	98304:B9IOolfYojhBef1RmHW5LIOmT+1jto4694/QT3IkBvbLn3oYkbCLaCfElqQh4Caz:z+qj9SjM

.msi	\|	Microsoft Windows Installer (81.9)
.mst	\|	Windows SDK Setup Transform Script (9.2)
.msp	\|	Windows Installer Patch (7.6)
.msi	\|	Microsoft Installer (100)

LastPrinted:	2009:12:11 11:47:44
CreateDate:	2009:12:11 11:47:44
ModifyDate:	2020:09:18 14:06:51
Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{4203B04D-806D-4EBE-BCFF-E19C0C1E195F}
Words:	2
Subject:	Windows Service Association
Author:	Microsoft
LastModifiedBy:	-
Software:	Windows Service Association
Template:	;1033
Comments:	This installer database contains the logic and data required to install Windows Service Association.
Title:	Installation Database
Keywords:	Installer, MSI, Database
Pages:	200


(PID) Process:	(2808) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: F80A000071E016F7D214DB01
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 8235DC7FC94D3263D5CD273E82492F8FF7E17DF03004AED4552E280530EA811C
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\3f7510.rbs
Value: 31134930
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\3f7510.rbsLow
Value:
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2D208A7AC4793F146B25264174A9500B
Operation:	write	Name:	A881E280AF7676D429E08C0512D56BCE
Value: C:\Program Files (x86)\Microsoft\Windows Service Association\
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6A803C3591405434F9108DE8AA427B1F
Operation:	write	Name:	A881E280AF7676D429E08C0512D56BCE
Value: 02:\Software\Microsoft\Windows Service Association\Version
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\348656E90AF6BE54485486DEE1BCB3A1
Operation:	write	Name:	A881E280AF7676D429E08C0512D56BCE
Value: C:\Users\Public\Documents\Dropbox.exe
(PID) Process:	(2808) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A893E4A58599D724D8D2CB9EA85EF280
Operation:	write	Name:	A881E280AF7676D429E08C0512D56BCE
Value: C:\Users\Public\Documents\CapCut_installer.exe

PID	Process	Filename		Type
1220	msiexec.exe	C:\Users\admin\AppData\Local\Temp\msi7D2C.txt		—
		MD5:—	SHA256:—
1220	msiexec.exe	C:\Users\admin\AppData\Local\Temp\scr7D2D.ps1		—
		MD5:—	SHA256:—
1220	msiexec.exe	C:\Users\admin\AppData\Local\Temp\scr7D2E.txt		—
		MD5:—	SHA256:—
1220	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pss7D3F.ps1		—
		MD5:—	SHA256:—
2808	msiexec.exe	C:\Windows\Installer\3f750e.msi		executable
		MD5:087D510F4D69F6FAA479E4919F51A175	SHA256:1DD7892458EAB123C341452AFF6F4D817F290EFC7F8C97B76BDB78E1E1FCF8D2
2808	msiexec.exe	C:\Windows\Installer\MSI7B0D.tmp		binary
		MD5:BE01224E859CA410C69F244B0BDB1B59	SHA256:E75E3D0FC1B933D1A25F5816571EE3CDA8D747EA752BA355DA40FFB213C00B81
2808	msiexec.exe	C:\Users\Public\Documents\Dropbox.exe		executable
		MD5:3B607E9AE169797C5112736DD445DB25	SHA256:E7141AEB22EA3165A4F7FB8C4D210151575F1B95EF545E0978A2174598A08265
2420	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_005wdun3.si5.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2808	msiexec.exe	C:\Windows\Temp\~DFA36B967FFB63937A.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
2808	msiexec.exe	C:\Windows\Temp\~DFFBFBCB9D47112880.TMP		binary
		MD5:A189A37F7FC5ADB7E83BED984EF48B58	SHA256:AD809252A7B3246E656B9FB2D0747BAF77E5CEC2C0C4C1D9CF12D591C9F9E6C2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6664	dropbox.exe	POST	200	45.202.35.101:80	http://45.202.35.101/pLQvfD4d/index.php	unknown	—	—	malicious
6664	dropbox.exe	POST	200	45.202.35.101:80	http://45.202.35.101/pLQvfD4d/index.php	unknown	—	—	malicious
—	—	GET	—	2.16.10.175:443	https://lf16-capcut.faceulv.com/obj/capcutpc-packages-sg/packages/CapCut_4_6_0_1754_capcutpc_0_creatortool.exe	unknown	—	—	—
—	—	GET	—	2.16.10.175:443	https://lf16-capcut.faceulv.com/obj/capcutpc-packages-sg/packages/CapCut_4_6_0_1754_capcutpc_0_creatortool.exe	unknown	—	—	—
—	—	GET	200	2.16.1.187:443	https://editor-api-sg.capcut.com/service/settings/v3/?app=1&aid=562354&arch_info=x86_64&device_id=2182455761&device_platform=windows&from_aid=562354&from_channel=capcutpc_0&from_version=0.0.0&local_info=en_US&version_code=0.0.0	unknown	tss	2.04 Kb	unknown
—	—	POST	200	2.19.198.216:443	https://maliva-mcs.byteoversea.com/v1/json	unknown	binary	14 b	whitelisted
—	—	GET	200	23.216.77.69:443	https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/visual_effects/visual_effects_en.png	unknown	image	494 Kb	whitelisted
—	—	POST	200	2.19.198.209:443	https://maliva-mcs.byteoversea.com/v1/json	unknown	binary	14 b	whitelisted
—	—	POST	200	23.32.238.65:443	https://sgali-mcs.byteoversea.com/v1/json	unknown	binary	14 b	whitelisted
—	—	GET	200	23.216.77.71:443	https://sf16-va.tiktokcdn.com/obj/eden-va2/JW-abJwhJ/ljhwZthlaukjlkulzlp/installer/pic/v1/intelligent_subtitles/intelligent_subtitles_en.png	unknown	image	504 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5000	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5000	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6460	CapCut_installer.exe	2.16.1.187:443	editor-api-sg.capcut.com	Akamai International B.V.	NL	whitelisted
6460	CapCut_installer.exe	23.32.238.82:443	maliva-mcs.byteoversea.com	Akamai International B.V.	DE	whitelisted
6460	CapCut_installer.exe	23.32.238.58:443	maliva-mcs.byteoversea.com	Akamai International B.V.	DE	whitelisted
6460	CapCut_installer.exe	23.216.77.71:443	sf16-va.tiktokcdn.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
editor-api-sg.capcut.com	2.16.1.187 2.16.1.201	unknown
maliva-mcs.byteoversea.com	23.32.238.82 23.32.238.64 23.32.238.66 23.32.238.65 23.32.238.74 23.32.238.75 23.32.238.73 23.32.238.72 23.32.238.80 23.32.238.58 23.32.238.59 23.32.238.50 23.32.238.48 23.32.238.57 23.32.238.43 23.32.238.56 2.19.126.158 2.19.126.152 2.19.126.153 2.19.126.156 2.19.126.155 2.19.126.160 2.19.126.159 2.19.126.154 2.19.126.157	whitelisted
sf16-va.tiktokcdn.com	23.216.77.71 23.216.77.69	whitelisted
sgali-mcs.byteoversea.com	23.32.238.73 23.32.238.64 23.32.238.75 23.32.238.59 23.32.238.72 23.32.238.74 23.32.238.65 23.32.238.80 23.32.238.66	whitelisted
lf16-capcut.faceulv.com	2.16.10.168 2.16.10.175	unknown

PID	Process	Class	Message
6664	dropbox.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 5
6664	dropbox.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)

General Info

BANDICUT.msi

087D510F4D69F6FAA479E4919F51A175

084C49D7C83B257AACF8C94B28B992C326A2AD09

1DD7892458EAB123C341452AFF6F4D817F290EFC7F8C97B76BDB78E1E1FCF8D2

98304:B9IOolfYojhBef1RmHW5LIOmT+1jto4694/QT3IkBvbLn3oYkbCLaCfElqQh4Caz:z+qj9SjM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Connects to the CnC server

Bypass execution policy to execute commands

SUSPICIOUS

Checks Windows Trust Settings

Reads the Windows owner or organization settings

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Likely accesses (executes) a file from the Public directory

Malware-specific behavior (creating "System.dll" in Temp)

Starts CMD.EXE for commands execution

Connects to the server without a host name

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Application launched itself

The process executes Powershell scripts

The process hide an interactive prompt from the user

INFO

Reads security settings of Internet Explorer

Reads the software policy settings

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings