amadey | b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d

General

Target

b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe
Size

283KB
MD5

31ab82365078548dcea62da7c2380b2e
SHA1

712fbb4df005439b9810090fd3a2962848e252c4
SHA256

b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512

937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

2.16

C2

176.111.174.114/Hnq8vS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

18 476 rundll32.exe
22 384 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

blfte.exe

pid process

644 blfte.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

476 rundll32.exe
476 rundll32.exe
384 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

476 rundll32.exe
476 rundll32.exe
476 rundll32.exe
476 rundll32.exe

flow	pid	process
18	476	rundll32.exe
22	384	rundll32.exe

pid	process
644	blfte.exe

pid	process
476	rundll32.exe
476	rundll32.exe
384	rundll32.exe

pid	process
476	rundll32.exe
476	rundll32.exe
476	rundll32.exe
476	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exeblfte.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 644	860	b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe	blfte.exe
PID 860 wrote to memory of 644	860	b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe	blfte.exe
PID 860 wrote to memory of 644	860	b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe	blfte.exe
PID 644 wrote to memory of 1856	644	blfte.exe	cmd.exe
PID 644 wrote to memory of 1856	644	blfte.exe	cmd.exe
PID 644 wrote to memory of 1856	644	blfte.exe	cmd.exe
PID 1856 wrote to memory of 3396	1856	cmd.exe	reg.exe
PID 1856 wrote to memory of 3396	1856	cmd.exe	reg.exe
PID 1856 wrote to memory of 3396	1856	cmd.exe	reg.exe
PID 644 wrote to memory of 476	644	blfte.exe	rundll32.exe
PID 644 wrote to memory of 476	644	blfte.exe	rundll32.exe
PID 644 wrote to memory of 476	644	blfte.exe	rundll32.exe
PID 644 wrote to memory of 384	644	blfte.exe	rundll32.exe
PID 644 wrote to memory of 384	644	blfte.exe	rundll32.exe
PID 644 wrote to memory of 384	644	blfte.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe
"C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe
"C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\
4⤵
PID:3396

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\scr.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1a9f26b569d5df\cred.dll
MD5
985f9c4d8bf231ca08046bcd44d558eb

SHA1
de5711528d94dab76186d9695ce19c3c6c26eec9

SHA256
78322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650

SHA512
939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f

Download Submit
C:\ProgramData\1a9f26b569d5df\scr.dll
MD5
a48dc2da2655fd049e37e36fcda28fba

SHA1
96ce27ab5fec62c6ac3ed96dd1bdc2defad5499e

SHA256
76f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43

SHA512
37ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490

Download Submit
C:\Users\Admin\AppData\Local\Temp\15211594587808204709
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe
MD5
31ab82365078548dcea62da7c2380b2e

SHA1
712fbb4df005439b9810090fd3a2962848e252c4

SHA256
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d

SHA512
937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe
MD5
31ab82365078548dcea62da7c2380b2e

SHA1
712fbb4df005439b9810090fd3a2962848e252c4

SHA256
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d

SHA512
937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3

Download Submit
\ProgramData\1a9f26b569d5df\cred.dll
MD5
985f9c4d8bf231ca08046bcd44d558eb

SHA1
de5711528d94dab76186d9695ce19c3c6c26eec9

SHA256
78322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650

SHA512
939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f

Download Submit
\ProgramData\1a9f26b569d5df\cred.dll
MD5
985f9c4d8bf231ca08046bcd44d558eb

SHA1
de5711528d94dab76186d9695ce19c3c6c26eec9

SHA256
78322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650

SHA512
939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f

Download Submit
\ProgramData\1a9f26b569d5df\scr.dll
MD5
a48dc2da2655fd049e37e36fcda28fba

SHA1
96ce27ab5fec62c6ac3ed96dd1bdc2defad5499e

SHA256
76f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43

SHA512
37ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490

Download Submit
memory/384-129-0x0000000000000000-mapping.dmp

Download
memory/476-124-0x0000000000000000-mapping.dmp

Download
memory/476-128-0x00000000006D0000-0x00000000006F4000-memory.dmp

Filesize
144KB

Download
memory/644-123-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/644-122-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/644-116-0x0000000000000000-mapping.dmp

Download
memory/860-114-0x0000000000620000-0x0000000000651000-memory.dmp

Filesize
196KB

Download
memory/860-115-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1856-120-0x0000000000000000-mapping.dmp

Download
memory/3396-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing