amadey | 7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0

General

Target

7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe
Size

367KB
MD5

a2a86cf41448cc5a375919a2ed050ea4
SHA1

bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA256

7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512

a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

2.16

C2

185.215.113.74/4dcYcWsw3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

19 3752 rundll32.exe
22 2096 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

blfte.exe

pid process

3252 blfte.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3752 rundll32.exe
2096 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3752 rundll32.exe
3752 rundll32.exe
3752 rundll32.exe
3752 rundll32.exe

flow	pid	process
19	3752	rundll32.exe
22	2096	rundll32.exe

pid	process
3252	blfte.exe

pid	process
3752	rundll32.exe
2096	rundll32.exe

pid	process
3752	rundll32.exe
3752	rundll32.exe
3752	rundll32.exe
3752	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exeblfte.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 3252	856	7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe	blfte.exe
PID 856 wrote to memory of 3252	856	7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe	blfte.exe
PID 856 wrote to memory of 3252	856	7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe	blfte.exe
PID 3252 wrote to memory of 496	3252	blfte.exe	cmd.exe
PID 3252 wrote to memory of 496	3252	blfte.exe	cmd.exe
PID 3252 wrote to memory of 496	3252	blfte.exe	cmd.exe
PID 496 wrote to memory of 3468	496	cmd.exe	reg.exe
PID 496 wrote to memory of 3468	496	cmd.exe	reg.exe
PID 496 wrote to memory of 3468	496	cmd.exe	reg.exe
PID 3252 wrote to memory of 3752	3252	blfte.exe	rundll32.exe
PID 3252 wrote to memory of 3752	3252	blfte.exe	rundll32.exe
PID 3252 wrote to memory of 3752	3252	blfte.exe	rundll32.exe
PID 3252 wrote to memory of 2096	3252	blfte.exe	rundll32.exe
PID 3252 wrote to memory of 2096	3252	blfte.exe	rundll32.exe
PID 3252 wrote to memory of 2096	3252	blfte.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe
"C:\Users\Admin\AppData\Local\Temp\7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe
"C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\
3⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\
4⤵
PID:3468

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\scr.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3826790d0e5a5e\cred.dll
MD5
f195dbf9f3449a5434edf834e43b0ff6

SHA1
5a22cf9d196df19e5184d1f786e59a609de13345

SHA256
2b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a

SHA512
25fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd

Download Submit
C:\ProgramData\3826790d0e5a5e\scr.dll
MD5
756cee4ee058d9d8d05dab2dcb142684

SHA1
d9e476769e4f7f6477c00a08f4b206cc1431f655

SHA256
a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155

SHA512
5c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450

Download Submit
C:\Users\Admin\AppData\Local\Temp\15211594587808204709
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe
MD5
a2a86cf41448cc5a375919a2ed050ea4

SHA1
bc8767fd4d9ad5635f114d277a4561c5e5583e89

SHA256
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0

SHA512
a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe
MD5
a2a86cf41448cc5a375919a2ed050ea4

SHA1
bc8767fd4d9ad5635f114d277a4561c5e5583e89

SHA256
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0

SHA512
a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2

Download Submit
\ProgramData\3826790d0e5a5e\cred.dll
MD5
f195dbf9f3449a5434edf834e43b0ff6

SHA1
5a22cf9d196df19e5184d1f786e59a609de13345

SHA256
2b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a

SHA512
25fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd

Download Submit
\ProgramData\3826790d0e5a5e\scr.dll
MD5
756cee4ee058d9d8d05dab2dcb142684

SHA1
d9e476769e4f7f6477c00a08f4b206cc1431f655

SHA256
a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155

SHA512
5c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450

Download Submit
memory/496-122-0x0000000000000000-mapping.dmp

Download
memory/856-114-0x0000000003DD0000-0x0000000003F1A000-memory.dmp

Filesize
1.3MB

Download
memory/856-115-0x0000000000400000-0x0000000003DC2000-memory.dmp

Filesize
57.8MB

Download
memory/2096-127-0x0000000000000000-mapping.dmp

Download
memory/3252-120-0x0000000003ED0000-0x000000000401A000-memory.dmp

Filesize
1.3MB

Download
memory/3252-121-0x0000000000400000-0x0000000003DC2000-memory.dmp

Filesize
57.8MB

Download
memory/3252-116-0x0000000000000000-mapping.dmp

Download
memory/3468-123-0x0000000000000000-mapping.dmp

Download
memory/3752-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing