amadey | e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f

Analysis

max time kernel
105s
max time network
168s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe
Size

218KB
MD5

2e5816315adcf88c8a527722a6590ed6
SHA1

e6756efbc30a0af6d55a64f0a3fefe3cea45293a
SHA256

e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f
SHA512

1d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756

Score

10^/10

amadey collection spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.05

garts.at/forum/index.php

uknovodom.ru/forum/index.php

prospectsnorth.com/forum/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

15 744 rundll32.exe
17 744 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ftewk.exeftewk.exe

pid process

932 ftewk.exe
1636 ftewk.exe

flow	pid	process
15	744	rundll32.exe
17	744	rundll32.exe

pid	process
932	ftewk.exe
1636	ftewk.exe

Loads dropped DLL 13 IoCs

Processes:

e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exerundll32.exerundll32.exerundll32.exe

pid	process
1928	e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe
744	rundll32.exe
1096	rundll32.exe
1792	rundll32.exe
744	rundll32.exe
744	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1096	rundll32.exe
1096	rundll32.exe
1096	rundll32.exe
744	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

744 rundll32.exe
744 rundll32.exe
744 rundll32.exe
744 rundll32.exe

pid	process
2016	schtasks.exe

pid	process
744	rundll32.exe
744	rundll32.exe
744	rundll32.exe
744	rundll32.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exeftewk.execmd.exetaskeng.exe

description	pid	process	target process
PID 1928 wrote to memory of 932	1928	e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe	ftewk.exe
PID 1928 wrote to memory of 932	1928	e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe	ftewk.exe
PID 1928 wrote to memory of 932	1928	e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe	ftewk.exe
PID 1928 wrote to memory of 932	1928	e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe	ftewk.exe
PID 932 wrote to memory of 1192	932	ftewk.exe	cmd.exe
PID 932 wrote to memory of 1192	932	ftewk.exe	cmd.exe
PID 932 wrote to memory of 1192	932	ftewk.exe	cmd.exe
PID 932 wrote to memory of 1192	932	ftewk.exe	cmd.exe
PID 932 wrote to memory of 2016	932	ftewk.exe	schtasks.exe
PID 932 wrote to memory of 2016	932	ftewk.exe	schtasks.exe
PID 932 wrote to memory of 2016	932	ftewk.exe	schtasks.exe
PID 932 wrote to memory of 2016	932	ftewk.exe	schtasks.exe
PID 1192 wrote to memory of 2024	1192	cmd.exe	reg.exe
PID 1192 wrote to memory of 2024	1192	cmd.exe	reg.exe
PID 1192 wrote to memory of 2024	1192	cmd.exe	reg.exe
PID 1192 wrote to memory of 2024	1192	cmd.exe	reg.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1792	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 744	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 932 wrote to memory of 1096	932	ftewk.exe	rundll32.exe
PID 1148 wrote to memory of 1636	1148	taskeng.exe	ftewk.exe
PID 1148 wrote to memory of 1636	1148	taskeng.exe	ftewk.exe
PID 1148 wrote to memory of 1636	1148	taskeng.exe	ftewk.exe
PID 1148 wrote to memory of 1636	1148	taskeng.exe	ftewk.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe
"C:\Users\Admin\AppData\Local\Temp\e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe
  "C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\958dc2ebed\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\958dc2ebed\
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2016
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1792
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:744
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1096

C:\Windows\system32\taskeng.exe
taskeng.exe {A936C4AB-47BB-4F5E-A283-96F408737E4A} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe
  C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe
  2⤵
  - Executes dropped EXE
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe

Filesize
218KB

MD5
2e5816315adcf88c8a527722a6590ed6

SHA1
e6756efbc30a0af6d55a64f0a3fefe3cea45293a

SHA256
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f

SHA512
1d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe

Filesize
218KB

MD5
2e5816315adcf88c8a527722a6590ed6

SHA1
e6756efbc30a0af6d55a64f0a3fefe3cea45293a

SHA256
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f

SHA512
1d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe

Filesize
218KB

MD5
2e5816315adcf88c8a527722a6590ed6

SHA1
e6756efbc30a0af6d55a64f0a3fefe3cea45293a

SHA256
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f

SHA512
1d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe

Filesize
218KB

MD5
2e5816315adcf88c8a527722a6590ed6

SHA1
e6756efbc30a0af6d55a64f0a3fefe3cea45293a

SHA256
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f

SHA512
1d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll

Filesize
126KB

MD5
c96f4b79502c4a88af0ed0935a0d5f13

SHA1
0976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1

SHA256
1b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c

SHA512
8b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486

Download Submit
memory/744-83-0x0000000000161000-0x000000000017B000-memory.dmp

Filesize
104KB

Download
memory/744-63-0x0000000000000000-mapping.dmp

Download
memory/932-56-0x0000000000000000-mapping.dmp

Download
memory/1096-81-0x0000000000121000-0x000000000013B000-memory.dmp

Filesize
104KB

Download
memory/1096-65-0x0000000000000000-mapping.dmp

Download
memory/1192-59-0x0000000000000000-mapping.dmp

Download
memory/1636-85-0x0000000000000000-mapping.dmp

Download
memory/1792-62-0x0000000000000000-mapping.dmp

Download
memory/1792-77-0x0000000000690000-0x00000000006B4000-memory.dmp

Filesize
144KB

Download
memory/1928-54-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download