amadey | 07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e

General

Target

7B030FD1473BD9B213A6DA3EF3ADC19E.exe
Size

2.0MB
MD5

7b030fd1473bd9b213a6da3ef3adc19e
SHA1

3fd6debb83d6b9b6240408fecef9946163d5a493
SHA256

07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
SHA512

833cf86b707836347fca8750ef0abf8d7e6f5ce56ef4dacdaa85b5dc1a44099c94384dba2cbbf575329c0a8569ee2b48e4507633237e4b2231c90bbea855f71d

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

2.15

C2

92.38.184.216/4dcYcWsw3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

20 3744 rundll32.exe
23 1328 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

jmgas.exe

pid process

4076 jmgas.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3744 rundll32.exe
3744 rundll32.exe
1328 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

3744 rundll32.exe
3744 rundll32.exe
3744 rundll32.exe
3744 rundll32.exe

flow	pid	process
20	3744	rundll32.exe
23	1328	rundll32.exe

pid	process
4076	jmgas.exe

pid	process
3744	rundll32.exe
3744	rundll32.exe
1328	rundll32.exe

pid	process
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe
3744	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

7B030FD1473BD9B213A6DA3EF3ADC19E.exejmgas.execmd.exe

description	pid	process	target process
PID 3896 wrote to memory of 4076	3896	7B030FD1473BD9B213A6DA3EF3ADC19E.exe	jmgas.exe
PID 3896 wrote to memory of 4076	3896	7B030FD1473BD9B213A6DA3EF3ADC19E.exe	jmgas.exe
PID 3896 wrote to memory of 4076	3896	7B030FD1473BD9B213A6DA3EF3ADC19E.exe	jmgas.exe
PID 4076 wrote to memory of 1900	4076	jmgas.exe	cmd.exe
PID 4076 wrote to memory of 1900	4076	jmgas.exe	cmd.exe
PID 4076 wrote to memory of 1900	4076	jmgas.exe	cmd.exe
PID 1900 wrote to memory of 2088	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 2088	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 2088	1900	cmd.exe	reg.exe
PID 4076 wrote to memory of 3744	4076	jmgas.exe	rundll32.exe
PID 4076 wrote to memory of 3744	4076	jmgas.exe	rundll32.exe
PID 4076 wrote to memory of 3744	4076	jmgas.exe	rundll32.exe
PID 4076 wrote to memory of 1328	4076	jmgas.exe	rundll32.exe
PID 4076 wrote to memory of 1328	4076	jmgas.exe	rundll32.exe
PID 4076 wrote to memory of 1328	4076	jmgas.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7B030FD1473BD9B213A6DA3EF3ADC19E.exe
"C:\Users\Admin\AppData\Local\Temp\7B030FD1473BD9B213A6DA3EF3ADC19E.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\ProgramData\816ea2c2e2\jmgas.exe
"C:\ProgramData\816ea2c2e2\jmgas.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\816ea2c2e2\
3⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\816ea2c2e2\
4⤵
PID:2088

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\bc692796e64ffe\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\bc692796e64ffe\scr.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152136866457237103368804
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\816ea2c2e2\jmgas.exe
MD5
7b030fd1473bd9b213a6da3ef3adc19e

SHA1
3fd6debb83d6b9b6240408fecef9946163d5a493

SHA256
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e

SHA512
833cf86b707836347fca8750ef0abf8d7e6f5ce56ef4dacdaa85b5dc1a44099c94384dba2cbbf575329c0a8569ee2b48e4507633237e4b2231c90bbea855f71d

Download Submit
C:\ProgramData\816ea2c2e2\jmgas.exe
MD5
7b030fd1473bd9b213a6da3ef3adc19e

SHA1
3fd6debb83d6b9b6240408fecef9946163d5a493

SHA256
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e

SHA512
833cf86b707836347fca8750ef0abf8d7e6f5ce56ef4dacdaa85b5dc1a44099c94384dba2cbbf575329c0a8569ee2b48e4507633237e4b2231c90bbea855f71d

Download Submit
C:\ProgramData\bc692796e64ffe\cred.dll
MD5
899d6d472e52fa0891c7a5bf090235dd

SHA1
076acad155813bd284333f2bb224a119e8b952dd

SHA256
542fce375cc802da32461e2b6842745f53aded3b56c76ec85b750d8aba029a23

SHA512
cad0b845d187b751d34f45d1789a819d5273155ddf7b7420c7a19b585e73ec5117039cc92f431fa73c5c11c8b68754ea34732863e54d07dbc6ddc863e04102db

Download Submit
C:\ProgramData\bc692796e64ffe\scr.dll
MD5
bc02549e5e87e2e01868e3eefc0cdc3f

SHA1
78f119a416896d6ae314f180c3d69614f0efadbb

SHA256
270ba1baa2c59c864e8ec517d7d4ea7856cd1c42f97a33a8c9eb9948fac1d0ff

SHA512
3e2ebf1f8c2556bb187b62c39a19c236e80d395eee94cabbabe33cb4bf4706b56bf096ca7575348acce3b2434bec38c6b30bb407214b838667ef15d2c5caf269

Download Submit
\ProgramData\bc692796e64ffe\cred.dll
MD5
899d6d472e52fa0891c7a5bf090235dd

SHA1
076acad155813bd284333f2bb224a119e8b952dd

SHA256
542fce375cc802da32461e2b6842745f53aded3b56c76ec85b750d8aba029a23

SHA512
cad0b845d187b751d34f45d1789a819d5273155ddf7b7420c7a19b585e73ec5117039cc92f431fa73c5c11c8b68754ea34732863e54d07dbc6ddc863e04102db

Download Submit
\ProgramData\bc692796e64ffe\cred.dll
MD5
899d6d472e52fa0891c7a5bf090235dd

SHA1
076acad155813bd284333f2bb224a119e8b952dd

SHA256
542fce375cc802da32461e2b6842745f53aded3b56c76ec85b750d8aba029a23

SHA512
cad0b845d187b751d34f45d1789a819d5273155ddf7b7420c7a19b585e73ec5117039cc92f431fa73c5c11c8b68754ea34732863e54d07dbc6ddc863e04102db

Download Submit
\ProgramData\bc692796e64ffe\scr.dll
MD5
bc02549e5e87e2e01868e3eefc0cdc3f

SHA1
78f119a416896d6ae314f180c3d69614f0efadbb

SHA256
270ba1baa2c59c864e8ec517d7d4ea7856cd1c42f97a33a8c9eb9948fac1d0ff

SHA512
3e2ebf1f8c2556bb187b62c39a19c236e80d395eee94cabbabe33cb4bf4706b56bf096ca7575348acce3b2434bec38c6b30bb407214b838667ef15d2c5caf269

Download Submit
memory/1328-131-0x0000000000000000-mapping.dmp

Download
memory/1900-124-0x0000000000000000-mapping.dmp

Download
memory/2088-125-0x0000000000000000-mapping.dmp

Download
memory/3744-126-0x0000000000000000-mapping.dmp

Download
memory/3744-130-0x00000000009E0000-0x0000000000A04000-memory.dmp

Filesize
144KB

Download
memory/3896-114-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/3896-115-0x0000000002A20000-0x0000000002A51000-memory.dmp

Filesize
196KB

Download
memory/3896-116-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/4076-117-0x0000000000000000-mapping.dmp

Download
memory/4076-123-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/4076-120-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing