File name:	Reminder.exe
Full analysis:	https://app.any.run/tasks/db335a2b-98c3-4a30-b963-ef78e0117844
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 22, 2024, 00:36:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer rdp
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D743BB6502147D38ADDB430590BC7A98
SHA1:	16CD70DD31FC54C0E42695441DBF3EAB5DE2E2BD
SHA256:	EBE565A1A2B13E3CBCF7BCC58EA8BEE81BD1ED2FED0E5977DC9E108EE8CBAE95
SSDEEP:	98304:rrq3BdwBsUBDPtvYZ6/vJsjSCPPuqV8aY/nsZLcGAXdO008HY/5UroTzROoF4XLC:nq6f1vJhz17PPH/idQZS8t8rt

.exe	\|	Inno Setup installer (56.2)
.exe	\|	Win32 EXE PECompact compressed (generic) (21.3)
.exe	\|	Win32 EXE Yoda's Crypter (13.6)
.dll	\|	Win32 Dynamic Link Library (generic) (3.3)
.exe	\|	Win32 Executable (generic) (2.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:12 07:26:53+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	685056
InitializedDataSize:	149504
UninitializedDataSize:	-
EntryPoint:	0xa83bc
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	3.2565.51.5
ProductVersionNumber:	3.2565.51.5
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Acronis International GmbH
FileDescription:	Acronis Media Builder
FileVersion:	29.1.1.41505
LegalCopyright:	Acronis
OriginalFileName:
ProductName:	Acronis True Image
ProductVersion:	29.1.1.41505


(PID) Process:	(2736) Updater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	fdeahdg
Value: "C:\begcffd\AutoIt3.exe" C:\begcffd\fdeahdg.a3x
(PID) Process:	(6124) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6124) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6124) MSBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
6640	Reminder.tmp	C:\Users\admin\AppData\Local\Temp\is-HPB9T.tmp\_isetup\_isdecmp.dll		executable
		MD5:077CB4461A2767383B317EB0C50F5F13	SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
5328	Reminder.exe	C:\Users\admin\AppData\Local\Temp\is-3VJ84.tmp\Reminder.tmp		executable
		MD5:4BFB5A37DC6ACBC273CEB792408BFEC9	SHA256:E35B01344C6ABD6463439DC23A450C3ED5FA656778647CBEA070E1F6A4A9C906
6676	Reminder.exe	C:\Users\admin\AppData\Local\Temp\is-JI1I6.tmp\Reminder.tmp		executable
		MD5:4BFB5A37DC6ACBC273CEB792408BFEC9	SHA256:E35B01344C6ABD6463439DC23A450C3ED5FA656778647CBEA070E1F6A4A9C906
2736	Updater.exe	C:\begcffd\fdeahdg.a3x		binary
		MD5:356418D32F4117C84B577BE53DC1BBF2	SHA256:0D8586DA0418EAD69F96ECC3A19BF61AF9A6F8BCC42602E0D6F00F80C5E6CAA1
6664	Reminder.tmp	C:\Users\admin\AppData\Local\Temp\is-V6VC8.tmp\_isetup\_isdecmp.dll		executable
		MD5:077CB4461A2767383B317EB0C50F5F13	SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
6664	Reminder.tmp	C:\Users\admin\AppData\Local\coigned\friendliwise.csv		binary
		MD5:70AE9B8A733EAA5A6AC51F701F86F73D	SHA256:151EC6640A046099F9FF5CC3A19001ACBC2D1C4CC8BD8C8BB43BA598CCAC6681
6664	Reminder.tmp	C:\Users\admin\AppData\Local\coigned\is-IB9UT.tmp		executable
		MD5:3F58A517F1F4796225137E7659AD2ADB	SHA256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
6664	Reminder.tmp	C:\Users\admin\AppData\Local\coigned\Updater.exe		executable
		MD5:3F58A517F1F4796225137E7659AD2ADB	SHA256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
2736	Updater.exe	C:\begcffd\AutoIt3.exe		executable
		MD5:3F58A517F1F4796225137E7659AD2ADB	SHA256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
6664	Reminder.tmp	C:\Users\admin\AppData\Local\coigned\is-MSFBF.tmp		a3x
		MD5:70AE9B8A733EAA5A6AC51F701F86F73D	SHA256:151EC6640A046099F9FF5CC3A19001ACBC2D1C4CC8BD8C8BB43BA598CCAC6681

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5512	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6124	MSBuild.exe	POST	200	152.89.198.124:80	http://152.89.198.124/8bdDsv3dk2FF/index.php	unknown	—	—	malicious
2776	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7160	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7160	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6124	MSBuild.exe	POST	200	152.89.198.124:80	http://152.89.198.124/8bdDsv3dk2FF/index.php	unknown	—	—	malicious
6124	MSBuild.exe	POST	200	152.89.198.124:80	http://152.89.198.124/8bdDsv3dk2FF/index.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1752	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4360	SearchApp.exe	104.126.37.145:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2776	svchost.exe	20.190.159.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2776	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4360	SearchApp.exe	104.126.37.131:443	www.bing.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 52.191.219.104	whitelisted
www.bing.com	104.126.37.145 104.126.37.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
google.com	216.58.212.142	whitelisted
login.live.com	20.190.159.71 20.190.159.75 20.190.159.64 20.190.159.2 40.126.31.67 20.190.159.68 20.190.159.23 20.190.159.4	whitelisted
th.bing.com	104.126.37.131 104.126.37.145	whitelisted
go.microsoft.com	184.30.17.189	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
arc.msn.com	20.103.156.88	whitelisted

PID	Process	Class	Message
6124	MSBuild.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 24
6124	MSBuild.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
6124	MSBuild.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)

General Info

Reminder.exe

D743BB6502147D38ADDB430590BC7A98

16CD70DD31FC54C0E42695441DBF3EAB5DE2E2BD

EBE565A1A2B13E3CBCF7BCC58EA8BEE81BD1ED2FED0E5977DC9E108EE8CBAE95

98304:rrq3BdwBsUBDPtvYZ6/vJsjSCPPuqV8aY/nsZLcGAXdO008HY/5UroTzROoF4XLC:nq6f1vJhz17PPH/idQZS8t8rt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

Starts CMD.EXE for self-deleting

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Changes the autorun value in the registry

Connects to the CnC server

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Get information on the list of running processes

Reads the Windows owner or organization settings

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Hides command output

Runs PING.EXE to delay simulation

Contacting a server suspected of hosting an CnC

There is functionality for enable RDP (YARA)

Connects to the server without a host name

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

The process uses the downloaded file

Reads mouse settings

Process checks computer location settings

Reads Windows Product ID

Reads the machine GUID from the registry

Creates files in the program directory

Checks proxy server information

Creates files or folders in the user directory

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections