amadey | 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

Analysis

max time kernel
203s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-05-2022 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
Size

383KB
MD5

56d9df4afbbaee34afb646e85fb4419d
SHA1

0ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA256

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA512

1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Score

10^/10

amadey persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

179.43.154.147/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeProcessChecke.exeftewk.exeftewk.exe

pid process

3512 ftewk.exe
3984 ProcessChecke.exe
2612 ftewk.exe
2072 ftewk.exe

pid	process
3512	ftewk.exe
3984	ProcessChecke.exe
2612	ftewk.exe
2072	ftewk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exeftewk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ftewk.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4820 rundll32.exe
4820 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4820	rundll32.exe
4820	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ProcessChecke.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ProcessChecke.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	ProcessChecke.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4344	4528	WerFault.exe	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
5096	2612	WerFault.exe	ftewk.exe
892	2072	WerFault.exe	ftewk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3360 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4820 rundll32.exe
4820 rundll32.exe

pid	process
3360	schtasks.exe

pid	process
4820	rundll32.exe
4820	rundll32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exeftewk.execmd.exe

description	pid	process	target process
PID 4528 wrote to memory of 3512	4528	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe	ftewk.exe
PID 4528 wrote to memory of 3512	4528	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe	ftewk.exe
PID 4528 wrote to memory of 3512	4528	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe	ftewk.exe
PID 3512 wrote to memory of 236	3512	ftewk.exe	cmd.exe
PID 3512 wrote to memory of 236	3512	ftewk.exe	cmd.exe
PID 3512 wrote to memory of 236	3512	ftewk.exe	cmd.exe
PID 3512 wrote to memory of 3360	3512	ftewk.exe	schtasks.exe
PID 3512 wrote to memory of 3360	3512	ftewk.exe	schtasks.exe
PID 3512 wrote to memory of 3360	3512	ftewk.exe	schtasks.exe
PID 236 wrote to memory of 5044	236	cmd.exe	reg.exe
PID 236 wrote to memory of 5044	236	cmd.exe	reg.exe
PID 236 wrote to memory of 5044	236	cmd.exe	reg.exe
PID 3512 wrote to memory of 3984	3512	ftewk.exe	ProcessChecke.exe
PID 3512 wrote to memory of 3984	3512	ftewk.exe	ProcessChecke.exe
PID 3512 wrote to memory of 4820	3512	ftewk.exe	rundll32.exe
PID 3512 wrote to memory of 4820	3512	ftewk.exe	rundll32.exe
PID 3512 wrote to memory of 4820	3512	ftewk.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
"C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
  "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
      4⤵
      PID:5044
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3360
- - C:\Users\Admin\AppData\Local\Temp\1000165001\ProcessChecke.exe
    "C:\Users\Admin\AppData\Local\Temp\1000165001\ProcessChecke.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3984
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1104
  2⤵
  - Program crash
  PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4528 -ip 4528
1⤵
PID:32

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
PID:2612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 500
  2⤵
  - Program crash
  PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2612 -ip 2612
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 500
  2⤵
  - Program crash
  PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2072 -ip 2072
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000165001\ProcessChecke.exe

Filesize
653KB

MD5
996965601a53e187e80c41751f27636d

SHA1
0874ade44f2fae85e9b20f297b22bf7816b0f835

SHA256
28a92195b78c6bd55062acb3a53139bf1d763ae043c616c57c97ff625b80f4f8

SHA512
d0d4b1847418ec1742710b13d44b41df899562526a2b3970ec43b6e21b419a7edb5da07b1f586936a9890c340e28a9fcc9eca19a12df6a59183e7a017bc81947

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000165001\ProcessChecke.exe

Filesize
653KB

MD5
996965601a53e187e80c41751f27636d

SHA1
0874ade44f2fae85e9b20f297b22bf7816b0f835

SHA256
28a92195b78c6bd55062acb3a53139bf1d763ae043c616c57c97ff625b80f4f8

SHA512
d0d4b1847418ec1742710b13d44b41df899562526a2b3970ec43b6e21b419a7edb5da07b1f586936a9890c340e28a9fcc9eca19a12df6a59183e7a017bc81947

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe

Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll

Filesize
126KB

MD5
b74b2173abbc5a72d47143c1ba62c97c

SHA1
b8d17f4f90fbc3b1347c12caf844354b65184735

SHA256
8dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75

SHA512
ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll

Filesize
126KB

MD5
b74b2173abbc5a72d47143c1ba62c97c

SHA1
b8d17f4f90fbc3b1347c12caf844354b65184735

SHA256
8dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75

SHA512
ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll

Filesize
126KB

MD5
b74b2173abbc5a72d47143c1ba62c97c

SHA1
b8d17f4f90fbc3b1347c12caf844354b65184735

SHA256
8dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75

SHA512
ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac

Download Submit
memory/236-138-0x0000000000000000-mapping.dmp

Download
memory/2072-150-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2072-149-0x00000000006E4000-0x0000000000702000-memory.dmp

Filesize
120KB

Download
memory/2612-146-0x0000000000520000-0x0000000000558000-memory.dmp

Filesize
224KB

Download
memory/2612-147-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2612-145-0x0000000000704000-0x0000000000722000-memory.dmp

Filesize
120KB

Download
memory/3360-139-0x0000000000000000-mapping.dmp

Download
memory/3512-133-0x0000000000000000-mapping.dmp

Download
memory/3512-136-0x000000000073E000-0x000000000075C000-memory.dmp

Filesize
120KB

Download
memory/3512-137-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3984-141-0x0000000000000000-mapping.dmp

Download
memory/4528-131-0x0000000000650000-0x0000000000688000-memory.dmp

Filesize
224KB

Download
memory/4528-130-0x000000000072F000-0x000000000074D000-memory.dmp

Filesize
120KB

Download
memory/4528-132-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4820-151-0x0000000000000000-mapping.dmp

Download
memory/4820-155-0x0000000000640000-0x0000000000664000-memory.dmp

Filesize
144KB

Download
memory/5044-140-0x0000000000000000-mapping.dmp

Download