amadey | 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-05-2022 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Size

218KB
MD5

a9c62f3c2b7bf88433746c06a7196a92
SHA1

020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA256

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512

342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Score

10^/10

amadey collection spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

190.123.44.195/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

5 832 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

ftewk.exeftewk.exeftewk.exe

pid process

364 ftewk.exe
1408 ftewk.exe
1228 ftewk.exe
Loads dropped DLL 5 IoCs

Processes:

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exerundll32.exe

pid process

1348 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
832 rundll32.exe
832 rundll32.exe
832 rundll32.exe
832 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
5	832	rundll32.exe

pid	process
364	ftewk.exe
1408	ftewk.exe
1228	ftewk.exe

pid	process
1348	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1680 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

832 rundll32.exe
832 rundll32.exe
832 rundll32.exe
832 rundll32.exe

pid	process
1680	schtasks.exe

pid	process
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exetaskeng.exe

description	pid	process	target process
PID 1348 wrote to memory of 364	1348	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1348 wrote to memory of 364	1348	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1348 wrote to memory of 364	1348	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1348 wrote to memory of 364	1348	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 364 wrote to memory of 1368	364	ftewk.exe	cmd.exe
PID 364 wrote to memory of 1368	364	ftewk.exe	cmd.exe
PID 364 wrote to memory of 1368	364	ftewk.exe	cmd.exe
PID 364 wrote to memory of 1368	364	ftewk.exe	cmd.exe
PID 364 wrote to memory of 1680	364	ftewk.exe	schtasks.exe
PID 364 wrote to memory of 1680	364	ftewk.exe	schtasks.exe
PID 364 wrote to memory of 1680	364	ftewk.exe	schtasks.exe
PID 364 wrote to memory of 1680	364	ftewk.exe	schtasks.exe
PID 1368 wrote to memory of 1008	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 1008	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 1008	1368	cmd.exe	reg.exe
PID 1368 wrote to memory of 1008	1368	cmd.exe	reg.exe
PID 1652 wrote to memory of 1408	1652	taskeng.exe	ftewk.exe
PID 1652 wrote to memory of 1408	1652	taskeng.exe	ftewk.exe
PID 1652 wrote to memory of 1408	1652	taskeng.exe	ftewk.exe
PID 1652 wrote to memory of 1408	1652	taskeng.exe	ftewk.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 364 wrote to memory of 832	364	ftewk.exe	rundll32.exe
PID 1652 wrote to memory of 1228	1652	taskeng.exe	ftewk.exe
PID 1652 wrote to memory of 1228	1652	taskeng.exe	ftewk.exe
PID 1652 wrote to memory of 1228	1652	taskeng.exe	ftewk.exe
PID 1652 wrote to memory of 1228	1652	taskeng.exe	ftewk.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\
4⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:832

C:\Windows\system32\taskeng.exe
taskeng.exe {6A0E076F-86D6-4B69-B7D8-B58FC4861993} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
2⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll
Filesize
126KB

MD5
6a315cfd3ed85fa8c53870a1c22a22e1

SHA1
829aaca9fd1cdf34e9c513306ae5a0ef02d69158

SHA256
2b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c

SHA512
bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33

Download Submit
\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll
Filesize
126KB

MD5
6a315cfd3ed85fa8c53870a1c22a22e1

SHA1
829aaca9fd1cdf34e9c513306ae5a0ef02d69158

SHA256
2b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c

SHA512
bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33

Download Submit
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll
Filesize
126KB

MD5
6a315cfd3ed85fa8c53870a1c22a22e1

SHA1
829aaca9fd1cdf34e9c513306ae5a0ef02d69158

SHA256
2b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c

SHA512
bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33

Download Submit
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll
Filesize
126KB

MD5
6a315cfd3ed85fa8c53870a1c22a22e1

SHA1
829aaca9fd1cdf34e9c513306ae5a0ef02d69158

SHA256
2b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c

SHA512
bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33

Download Submit
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll
Filesize
126KB

MD5
6a315cfd3ed85fa8c53870a1c22a22e1

SHA1
829aaca9fd1cdf34e9c513306ae5a0ef02d69158

SHA256
2b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c

SHA512
bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33

Download Submit
memory/364-56-0x0000000000000000-mapping.dmp

Download
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/832-73-0x0000000000661000-0x000000000067B000-memory.dmp

Filesize
104KB

Download
memory/1008-61-0x0000000000000000-mapping.dmp

Download
memory/1228-74-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1368-59-0x0000000000000000-mapping.dmp

Download
memory/1408-63-0x0000000000000000-mapping.dmp

Download
memory/1680-60-0x0000000000000000-mapping.dmp

Download