amadey | dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

Analysis

max time kernel
186s
max time network
165s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
Size

334KB
MD5

21a947b4e4a65510aa9188cc950bc943
SHA1

9ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256

dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512

358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Score

10^/10

amadey collection spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

193.106.191.201/panelis/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

6 1772 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exe

pid process

1068 ftewk.exe
1796 ftewk.exe
1368 ftewk.exe
1060 ftewk.exe

flow	pid	process
6	1772	rundll32.exe

pid	process
1068	ftewk.exe
1796	ftewk.exe
1368	ftewk.exe
1060	ftewk.exe

Loads dropped DLL 6 IoCs

Processes:

dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exerundll32.exe

pid	process
1472	dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
1472	dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1872 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe

pid	process
1872	schtasks.exe

pid	process
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exeftewk.execmd.exetaskeng.exe

description	pid	process	target process
PID 1472 wrote to memory of 1068	1472	dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe	ftewk.exe
PID 1472 wrote to memory of 1068	1472	dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe	ftewk.exe
PID 1472 wrote to memory of 1068	1472	dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe	ftewk.exe
PID 1472 wrote to memory of 1068	1472	dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe	ftewk.exe
PID 1068 wrote to memory of 1724	1068	ftewk.exe	cmd.exe
PID 1068 wrote to memory of 1724	1068	ftewk.exe	cmd.exe
PID 1068 wrote to memory of 1724	1068	ftewk.exe	cmd.exe
PID 1068 wrote to memory of 1724	1068	ftewk.exe	cmd.exe
PID 1068 wrote to memory of 1872	1068	ftewk.exe	schtasks.exe
PID 1068 wrote to memory of 1872	1068	ftewk.exe	schtasks.exe
PID 1068 wrote to memory of 1872	1068	ftewk.exe	schtasks.exe
PID 1068 wrote to memory of 1872	1068	ftewk.exe	schtasks.exe
PID 1724 wrote to memory of 1652	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1652	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1652	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 1652	1724	cmd.exe	reg.exe
PID 604 wrote to memory of 1796	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1796	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1796	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1796	604	taskeng.exe	ftewk.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 1068 wrote to memory of 1772	1068	ftewk.exe	rundll32.exe
PID 604 wrote to memory of 1368	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1368	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1368	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1368	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1060	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1060	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1060	604	taskeng.exe	ftewk.exe
PID 604 wrote to memory of 1060	604	taskeng.exe	ftewk.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
"C:\Users\Admin\AppData\Local\Temp\dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\
3⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\
4⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {1F73E332-4AB3-4B6B-9BF1-69FFE645B123} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
2⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
2⤵
- Executes dropped EXE
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll
Filesize
126KB

MD5
b15e23ee34fa9c69866799fdd8e3820b

SHA1
880b9624ddb7e1484f5694db01f33128bf1a01c3

SHA256
635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e

SHA512
d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4

Download Submit
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll
Filesize
126KB

MD5
b15e23ee34fa9c69866799fdd8e3820b

SHA1
880b9624ddb7e1484f5694db01f33128bf1a01c3

SHA256
635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e

SHA512
d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4

Download Submit
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll
Filesize
126KB

MD5
b15e23ee34fa9c69866799fdd8e3820b

SHA1
880b9624ddb7e1484f5694db01f33128bf1a01c3

SHA256
635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e

SHA512
d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4

Download Submit
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll
Filesize
126KB

MD5
b15e23ee34fa9c69866799fdd8e3820b

SHA1
880b9624ddb7e1484f5694db01f33128bf1a01c3

SHA256
635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e

SHA512
d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4

Download Submit
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll
Filesize
126KB

MD5
b15e23ee34fa9c69866799fdd8e3820b

SHA1
880b9624ddb7e1484f5694db01f33128bf1a01c3

SHA256
635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e

SHA512
d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4

Download Submit
memory/1060-91-0x0000000000000000-mapping.dmp

Download
memory/1068-58-0x0000000000000000-mapping.dmp

Download
memory/1068-69-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1068-63-0x00000000002E8000-0x0000000000306000-memory.dmp

Filesize
120KB

Download
memory/1068-68-0x00000000002E8000-0x0000000000306000-memory.dmp

Filesize
120KB

Download
memory/1368-90-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1368-89-0x0000000000598000-0x00000000005B6000-memory.dmp

Filesize
120KB

Download
memory/1368-87-0x0000000000598000-0x00000000005B6000-memory.dmp

Filesize
120KB

Download
memory/1368-85-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x00000000002A8000-0x00000000002C7000-memory.dmp

Filesize
124KB

Download
memory/1472-61-0x0000000000480000-0x00000000004B8000-memory.dmp

Filesize
224KB

Download
memory/1472-60-0x00000000002A8000-0x00000000002C7000-memory.dmp

Filesize
124KB

Download
memory/1472-55-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1472-62-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1652-67-0x0000000000000000-mapping.dmp

Download
memory/1724-65-0x0000000000000000-mapping.dmp

Download
memory/1772-84-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/1772-77-0x0000000000000000-mapping.dmp

Download
memory/1796-75-0x00000000002C8000-0x00000000002E6000-memory.dmp

Filesize
120KB

Download
memory/1796-73-0x00000000002C8000-0x00000000002E6000-memory.dmp

Filesize
120KB

Download
memory/1796-71-0x0000000000000000-mapping.dmp

Download
memory/1796-76-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1872-66-0x0000000000000000-mapping.dmp

Download