amadey | b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e

Analysis

max time kernel
150s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
26-04-2021 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe
Size

330KB
MD5

1978e8a34b5178485275e2200cde5d14
SHA1

4b69cd44159b1ed5e70686ca786162c7f164ae2f
SHA256

b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e
SHA512

995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4

Score

10^/10

amadey remcos persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

2.11

176.111.174.67/7Ndd3SnW/index.php

Extracted

Family

remcos

resener.duckdns.org:3202

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

15 2352 rundll32.exe
19 204 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rween.exeRN1.exechrome.exe

pid process

812 rween.exe
2696 RN1.exe
1532 chrome.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2352 rundll32.exe
2352 rundll32.exe
204 rundll32.exe
204 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
15	2352	rundll32.exe
19	204	rundll32.exe

pid	process
812	rween.exe
2696	RN1.exe
1532	chrome.exe

pid	process
2352	rundll32.exe
2352	rundll32.exe
204	rundll32.exe
204	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RN1.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RN1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	RN1.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\""	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3040 schtasks.exe
Modifies registry class 1 IoCs

Processes:

RN1.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings RN1.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

2352 rundll32.exe
2352 rundll32.exe
2352 rundll32.exe
2352 rundll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

1532 chrome.exe

pid	process
3040	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	RN1.exe

pid	process
2352	rundll32.exe
2352	rundll32.exe
2352	rundll32.exe
2352	rundll32.exe

pid	process
1532	chrome.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exerween.execmd.exeRN1.exeWScript.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 812	4040	SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe	rween.exe
PID 4040 wrote to memory of 812	4040	SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe	rween.exe
PID 4040 wrote to memory of 812	4040	SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe	rween.exe
PID 812 wrote to memory of 2540	812	rween.exe	cmd.exe
PID 812 wrote to memory of 2540	812	rween.exe	cmd.exe
PID 812 wrote to memory of 2540	812	rween.exe	cmd.exe
PID 2540 wrote to memory of 3808	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3808	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 3808	2540	cmd.exe	reg.exe
PID 812 wrote to memory of 2352	812	rween.exe	rundll32.exe
PID 812 wrote to memory of 2352	812	rween.exe	rundll32.exe
PID 812 wrote to memory of 2352	812	rween.exe	rundll32.exe
PID 812 wrote to memory of 204	812	rween.exe	rundll32.exe
PID 812 wrote to memory of 204	812	rween.exe	rundll32.exe
PID 812 wrote to memory of 204	812	rween.exe	rundll32.exe
PID 812 wrote to memory of 2696	812	rween.exe	RN1.exe
PID 812 wrote to memory of 2696	812	rween.exe	RN1.exe
PID 812 wrote to memory of 2696	812	rween.exe	RN1.exe
PID 812 wrote to memory of 3040	812	rween.exe	schtasks.exe
PID 812 wrote to memory of 3040	812	rween.exe	schtasks.exe
PID 812 wrote to memory of 3040	812	rween.exe	schtasks.exe
PID 2696 wrote to memory of 1288	2696	RN1.exe	WScript.exe
PID 2696 wrote to memory of 1288	2696	RN1.exe	WScript.exe
PID 2696 wrote to memory of 1288	2696	RN1.exe	WScript.exe
PID 1288 wrote to memory of 3680	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 3680	1288	WScript.exe	cmd.exe
PID 1288 wrote to memory of 3680	1288	WScript.exe	cmd.exe
PID 3680 wrote to memory of 1532	3680	cmd.exe	chrome.exe
PID 3680 wrote to memory of 1532	3680	cmd.exe	chrome.exe
PID 3680 wrote to memory of 1532	3680	cmd.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe
"C:\Users\Admin\AppData\Local\Temp\SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\ProgramData\011ab573a3\rween.exe
"C:\ProgramData\011ab573a3\rween.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
3⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
4⤵
PID:3808

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:204

C:\Users\Admin\AppData\Local\Temp\RN1.exe
"C:\Users\Admin\AppData\Local\Temp\RN1.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN RN1.exe /TR "C:\Users\Admin\AppData\Local\Temp\RN1.exe" /F
3⤵
- Creates scheduled task(s)
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\011ab573a3\rween.exe
MD5
1978e8a34b5178485275e2200cde5d14

SHA1
4b69cd44159b1ed5e70686ca786162c7f164ae2f

SHA256
b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e

SHA512
995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4

Download Submit
C:\ProgramData\011ab573a3\rween.exe
MD5
1978e8a34b5178485275e2200cde5d14

SHA1
4b69cd44159b1ed5e70686ca786162c7f164ae2f

SHA256
b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e

SHA512
995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4

Download Submit
C:\ProgramData\152136866457237103368804
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\5eba991cccd123\cred.dll
MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
C:\ProgramData\5eba991cccd123\scr.dll
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RN1.exe
MD5
813ab5994a1060ea8591e00923f7c73f

SHA1
cf5cec935cdf310c996cf9d0b3a71d5747025430

SHA256
e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab

SHA512
c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RN1.exe
MD5
813ab5994a1060ea8591e00923f7c73f

SHA1
cf5cec935cdf310c996cf9d0b3a71d5747025430

SHA256
e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab

SHA512
c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
fb3ccc6eb57452ab438c3d24d3a981d9

SHA1
272e3387aa7f7664d25dab9038cc223378a8e23f

SHA256
3dcd37f4d61b497d1145c1361ccd09dff5e9af2829f322b0b3231505fd8fa6db

SHA512
7c079b262a3e1ab9202f4874dbcbc5de2eff0932c8cd1b9f2bc7283dd4c11ee528c849b3f3130bd3bd64d9af2b0b666c03fd173aabdb5b8a835d74623f7315a9

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
MD5
813ab5994a1060ea8591e00923f7c73f

SHA1
cf5cec935cdf310c996cf9d0b3a71d5747025430

SHA256
e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab

SHA512
c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe
MD5
813ab5994a1060ea8591e00923f7c73f

SHA1
cf5cec935cdf310c996cf9d0b3a71d5747025430

SHA256
e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab

SHA512
c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48

Download Submit
\ProgramData\5eba991cccd123\cred.dll
MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
\ProgramData\5eba991cccd123\cred.dll
MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
\ProgramData\5eba991cccd123\scr.dll
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
\ProgramData\5eba991cccd123\scr.dll
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
memory/204-133-0x0000000002670000-0x00000000026AD000-memory.dmp

Filesize
244KB

Download
memory/204-129-0x0000000000000000-mapping.dmp

Download
memory/812-121-0x0000000000400000-0x0000000003DB5000-memory.dmp

Filesize
57.7MB

Download
memory/812-120-0x0000000003DC0000-0x0000000003E6E000-memory.dmp

Filesize
696KB

Download
memory/812-116-0x0000000000000000-mapping.dmp

Download
memory/1288-138-0x0000000000000000-mapping.dmp

Download
memory/1532-146-0x00000000001D0000-0x00000000001F1000-memory.dmp

Filesize
132KB

Download
memory/1532-147-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1532-143-0x0000000000000000-mapping.dmp

Download
memory/2352-124-0x0000000000000000-mapping.dmp

Download
memory/2352-128-0x00000000026C0000-0x00000000026E4000-memory.dmp

Filesize
144KB

Download
memory/2540-122-0x0000000000000000-mapping.dmp

Download
memory/2696-139-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/2696-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2696-134-0x0000000000000000-mapping.dmp

Download
memory/3040-137-0x0000000000000000-mapping.dmp

Download
memory/3680-142-0x0000000000000000-mapping.dmp

Download
memory/3808-123-0x0000000000000000-mapping.dmp

Download
memory/4040-115-0x0000000000400000-0x0000000003DB5000-memory.dmp

Filesize
57.7MB

Download
memory/4040-114-0x0000000003EC0000-0x000000000400A000-memory.dmp

Filesize
1.3MB

Download