amadey | c00d22bddf2c765e8c3f5df33fcd6e3aa81997524b2fbb9e2429e9e93a0cb471

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
13-04-2021 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exe
Size

281KB
MD5

a50b83e1b156d4f8af909c31ba0852f8
SHA1

8cf60f7881cdcef9825ebfdebe436c1cdb1c5360
SHA256

c00d22bddf2c765e8c3f5df33fcd6e3aa81997524b2fbb9e2429e9e93a0cb471
SHA512

226e11a7fa28c466ab85c2361c9e3d6ec157ead352b8e20bd026d8fcc4a2bc69a0c192d967ac072d61c12a8d4b280714245199bc84902d31e463465c214c37cf

Score

10^/10

amadey remcos persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

2.11

176.111.174.67/7Ndd3SnW/index.php

Extracted

Family

remcos

resener.duckdns.org:3202

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

17 3712 rundll32.exe
22 816 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

rween.exerq4.exechrome.exerq4.exerq4.exe

pid process

2840 rween.exe
3180 rq4.exe
2212 chrome.exe
640 rq4.exe
2316 rq4.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3712 rundll32.exe
816 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
17	3712	rundll32.exe
22	816	rundll32.exe

pid	process
2840	rween.exe
3180	rq4.exe
2212	chrome.exe
640	rq4.exe
2316	rq4.exe

pid	process
3712	rundll32.exe
816	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exerq4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	rq4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	rq4.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1128 schtasks.exe
Modifies registry class 1 IoCs

Processes:

rq4.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings rq4.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3712 rundll32.exe
3712 rundll32.exe
3712 rundll32.exe
3712 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

2212 chrome.exe

pid	process
1128	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	rq4.exe

pid	process
3712	rundll32.exe
3712	rundll32.exe
3712	rundll32.exe
3712	rundll32.exe

pid	process
2212	chrome.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exerween.execmd.exerq4.exeWScript.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 2840	1040	AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exe	rween.exe
PID 1040 wrote to memory of 2840	1040	AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exe	rween.exe
PID 1040 wrote to memory of 2840	1040	AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exe	rween.exe
PID 2840 wrote to memory of 1456	2840	rween.exe	cmd.exe
PID 2840 wrote to memory of 1456	2840	rween.exe	cmd.exe
PID 2840 wrote to memory of 1456	2840	rween.exe	cmd.exe
PID 1456 wrote to memory of 2104	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2104	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2104	1456	cmd.exe	reg.exe
PID 2840 wrote to memory of 3712	2840	rween.exe	rundll32.exe
PID 2840 wrote to memory of 3712	2840	rween.exe	rundll32.exe
PID 2840 wrote to memory of 3712	2840	rween.exe	rundll32.exe
PID 2840 wrote to memory of 3180	2840	rween.exe	rq4.exe
PID 2840 wrote to memory of 3180	2840	rween.exe	rq4.exe
PID 2840 wrote to memory of 3180	2840	rween.exe	rq4.exe
PID 3180 wrote to memory of 1284	3180	rq4.exe	WScript.exe
PID 3180 wrote to memory of 1284	3180	rq4.exe	WScript.exe
PID 3180 wrote to memory of 1284	3180	rq4.exe	WScript.exe
PID 2840 wrote to memory of 1128	2840	rween.exe	schtasks.exe
PID 2840 wrote to memory of 1128	2840	rween.exe	schtasks.exe
PID 2840 wrote to memory of 1128	2840	rween.exe	schtasks.exe
PID 1284 wrote to memory of 192	1284	WScript.exe	cmd.exe
PID 1284 wrote to memory of 192	1284	WScript.exe	cmd.exe
PID 1284 wrote to memory of 192	1284	WScript.exe	cmd.exe
PID 192 wrote to memory of 2212	192	cmd.exe	chrome.exe
PID 192 wrote to memory of 2212	192	cmd.exe	chrome.exe
PID 192 wrote to memory of 2212	192	cmd.exe	chrome.exe
PID 2840 wrote to memory of 816	2840	rween.exe	rundll32.exe
PID 2840 wrote to memory of 816	2840	rween.exe	rundll32.exe
PID 2840 wrote to memory of 816	2840	rween.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exe
"C:\Users\Admin\AppData\Local\Temp\AVISO22320304865593466434503513026779123374052711179714384656950739964421029.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\ProgramData\011ab573a3\rween.exe
"C:\ProgramData\011ab573a3\rween.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
3⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
4⤵
PID:2104

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Users\Admin\AppData\Local\Temp\rq4.exe
"C:\Users\Admin\AppData\Local\Temp\rq4.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rq4.exe /TR "C:\Users\Admin\AppData\Local\Temp\rq4.exe" /F
3⤵
- Creates scheduled task(s)
PID:1128

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:816

C:\Users\Admin\AppData\Local\Temp\rq4.exe
C:\Users\Admin\AppData\Local\Temp\rq4.exe
1⤵
- Executes dropped EXE
PID:640

C:\Users\Admin\AppData\Local\Temp\rq4.exe
C:\Users\Admin\AppData\Local\Temp\rq4.exe
1⤵
- Executes dropped EXE
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\011ab573a3\rween.exe
MD5
a50b83e1b156d4f8af909c31ba0852f8

SHA1
8cf60f7881cdcef9825ebfdebe436c1cdb1c5360

SHA256
c00d22bddf2c765e8c3f5df33fcd6e3aa81997524b2fbb9e2429e9e93a0cb471

SHA512
226e11a7fa28c466ab85c2361c9e3d6ec157ead352b8e20bd026d8fcc4a2bc69a0c192d967ac072d61c12a8d4b280714245199bc84902d31e463465c214c37cf

Download Submit
C:\ProgramData\011ab573a3\rween.exe
MD5
a50b83e1b156d4f8af909c31ba0852f8

SHA1
8cf60f7881cdcef9825ebfdebe436c1cdb1c5360

SHA256
c00d22bddf2c765e8c3f5df33fcd6e3aa81997524b2fbb9e2429e9e93a0cb471

SHA512
226e11a7fa28c466ab85c2361c9e3d6ec157ead352b8e20bd026d8fcc4a2bc69a0c192d967ac072d61c12a8d4b280714245199bc84902d31e463465c214c37cf

Download Submit
C:\ProgramData\152115945878082047097707
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\5eba991cccd123\cred.dll
MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
C:\ProgramData\5eba991cccd123\scr.dll
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
fb3ccc6eb57452ab438c3d24d3a981d9

SHA1
272e3387aa7f7664d25dab9038cc223378a8e23f

SHA256
3dcd37f4d61b497d1145c1361ccd09dff5e9af2829f322b0b3231505fd8fa6db

SHA512
7c079b262a3e1ab9202f4874dbcbc5de2eff0932c8cd1b9f2bc7283dd4c11ee528c849b3f3130bd3bd64d9af2b0b666c03fd173aabdb5b8a835d74623f7315a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq4.exe
MD5
63f46421ee29127a06658588fbfdb2f5

SHA1
0390d02334cde490530d1f7a70ff10d8a5b70ab6

SHA256
2de1483757ed6d1b4fd29c0fee8448568933e36faf39a81d5c1375d6e96b9cd8

SHA512
93bdce181124519e7442268ecf89842d6b56137c9483ea07b436dd676496e35ff33e1e3f51f0afb95fec3e2a0e18d56c4f58ff9b18606d25899fcf50a2083966

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq4.exe
MD5
63f46421ee29127a06658588fbfdb2f5

SHA1
0390d02334cde490530d1f7a70ff10d8a5b70ab6

SHA256
2de1483757ed6d1b4fd29c0fee8448568933e36faf39a81d5c1375d6e96b9cd8

SHA512
93bdce181124519e7442268ecf89842d6b56137c9483ea07b436dd676496e35ff33e1e3f51f0afb95fec3e2a0e18d56c4f58ff9b18606d25899fcf50a2083966

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq4.exe
MD5
63f46421ee29127a06658588fbfdb2f5

SHA1
0390d02334cde490530d1f7a70ff10d8a5b70ab6

SHA256
2de1483757ed6d1b4fd29c0fee8448568933e36faf39a81d5c1375d6e96b9cd8

SHA512
93bdce181124519e7442268ecf89842d6b56137c9483ea07b436dd676496e35ff33e1e3f51f0afb95fec3e2a0e18d56c4f58ff9b18606d25899fcf50a2083966

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq4.exe
MD5
63f46421ee29127a06658588fbfdb2f5

SHA1
0390d02334cde490530d1f7a70ff10d8a5b70ab6

SHA256
2de1483757ed6d1b4fd29c0fee8448568933e36faf39a81d5c1375d6e96b9cd8

SHA512
93bdce181124519e7442268ecf89842d6b56137c9483ea07b436dd676496e35ff33e1e3f51f0afb95fec3e2a0e18d56c4f58ff9b18606d25899fcf50a2083966

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
MD5
63f46421ee29127a06658588fbfdb2f5

SHA1
0390d02334cde490530d1f7a70ff10d8a5b70ab6

SHA256
2de1483757ed6d1b4fd29c0fee8448568933e36faf39a81d5c1375d6e96b9cd8

SHA512
93bdce181124519e7442268ecf89842d6b56137c9483ea07b436dd676496e35ff33e1e3f51f0afb95fec3e2a0e18d56c4f58ff9b18606d25899fcf50a2083966

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
MD5
63f46421ee29127a06658588fbfdb2f5

SHA1
0390d02334cde490530d1f7a70ff10d8a5b70ab6

SHA256
2de1483757ed6d1b4fd29c0fee8448568933e36faf39a81d5c1375d6e96b9cd8

SHA512
93bdce181124519e7442268ecf89842d6b56137c9483ea07b436dd676496e35ff33e1e3f51f0afb95fec3e2a0e18d56c4f58ff9b18606d25899fcf50a2083966

Download Submit
\ProgramData\5eba991cccd123\cred.dll
MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
\ProgramData\5eba991cccd123\scr.dll
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
memory/192-135-0x0000000000000000-mapping.dmp

Download
memory/640-145-0x0000000000A30000-0x0000000000B7A000-memory.dmp

Filesize
1.3MB

Download
memory/640-146-0x0000000000400000-0x0000000000A21000-memory.dmp

Filesize
6.1MB

Download
memory/816-141-0x0000000000000000-mapping.dmp

Download
memory/1040-115-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/1040-114-0x0000000002580000-0x00000000025AC000-memory.dmp

Filesize
176KB

Download
memory/1128-134-0x0000000000000000-mapping.dmp

Download
memory/1284-130-0x0000000000000000-mapping.dmp

Download
memory/1456-120-0x0000000000000000-mapping.dmp

Download
memory/2104-121-0x0000000000000000-mapping.dmp

Download
memory/2212-136-0x0000000000000000-mapping.dmp

Download
memory/2212-140-0x0000000000400000-0x0000000000A21000-memory.dmp

Filesize
6.1MB

Download
memory/2316-149-0x0000000000400000-0x0000000000A21000-memory.dmp

Filesize
6.1MB

Download
memory/2840-123-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/2840-122-0x0000000000980000-0x0000000000ACA000-memory.dmp

Filesize
1.3MB

Download
memory/2840-116-0x0000000000000000-mapping.dmp

Download
memory/3180-132-0x0000000000400000-0x0000000000A21000-memory.dmp

Filesize
6.1MB

Download
memory/3180-131-0x0000000000B80000-0x0000000000BA1000-memory.dmp

Filesize
132KB

Download
memory/3180-127-0x0000000000000000-mapping.dmp

Download
memory/3712-124-0x0000000000000000-mapping.dmp

Download