amadey | 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

General

Target

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
Size

383KB
MD5

56d9df4afbbaee34afb646e85fb4419d
SHA1

0ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA256

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA512

1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Score

10^/10

amadey collection spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

C2

179.43.154.147/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

38 3120 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exeftewk.exe

pid process

3460 ftewk.exe
3860 ftewk.exe
3904 ftewk.exe
4372 ftewk.exe
5040 ftewk.exe

flow	pid	process
38	3120	rundll32.exe

pid	process
3460	ftewk.exe
3860	ftewk.exe
3904	ftewk.exe
4372	ftewk.exe
5040	ftewk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exeftewk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ftewk.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3120 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3120	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com

flow	ioc
25	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

ftewk.exeftewk.exe

description	pid	process	target process
PID 3460 set thread context of 3860	3460	ftewk.exe	ftewk.exe
PID 3860 set thread context of 3244	3860	ftewk.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1288	3744	WerFault.exe	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
1696	3904	WerFault.exe	ftewk.exe
2776	3244	WerFault.exe	AppLaunch.exe
828	4372	WerFault.exe	ftewk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

AppLaunch.exerundll32.exe

pid process

3244 AppLaunch.exe
3120 rundll32.exe
3120 rundll32.exe
3120 rundll32.exe
3120 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3244 AppLaunch.exe

pid	process
2780	schtasks.exe

pid	process
3244	AppLaunch.exe
3120	rundll32.exe
3120	rundll32.exe
3120	rundll32.exe
3120	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3244	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exeftewk.execmd.exeftewk.exe

description	pid	process	target process
PID 3744 wrote to memory of 3460	3744	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe	ftewk.exe
PID 3744 wrote to memory of 3460	3744	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe	ftewk.exe
PID 3744 wrote to memory of 3460	3744	87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe	ftewk.exe
PID 3460 wrote to memory of 1156	3460	ftewk.exe	cmd.exe
PID 3460 wrote to memory of 1156	3460	ftewk.exe	cmd.exe
PID 3460 wrote to memory of 1156	3460	ftewk.exe	cmd.exe
PID 3460 wrote to memory of 2780	3460	ftewk.exe	schtasks.exe
PID 3460 wrote to memory of 2780	3460	ftewk.exe	schtasks.exe
PID 3460 wrote to memory of 2780	3460	ftewk.exe	schtasks.exe
PID 1156 wrote to memory of 4224	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 4224	1156	cmd.exe	reg.exe
PID 1156 wrote to memory of 4224	1156	cmd.exe	reg.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3460 wrote to memory of 3860	3460	ftewk.exe	ftewk.exe
PID 3860 wrote to memory of 3244	3860	ftewk.exe	AppLaunch.exe
PID 3860 wrote to memory of 3244	3860	ftewk.exe	AppLaunch.exe
PID 3860 wrote to memory of 3244	3860	ftewk.exe	AppLaunch.exe
PID 3860 wrote to memory of 3244	3860	ftewk.exe	AppLaunch.exe
PID 3860 wrote to memory of 3244	3860	ftewk.exe	AppLaunch.exe
PID 3460 wrote to memory of 3120	3460	ftewk.exe	rundll32.exe
PID 3460 wrote to memory of 3120	3460	ftewk.exe	rundll32.exe
PID 3460 wrote to memory of 3120	3460	ftewk.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
"C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
3⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\
4⤵
PID:4224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:2780

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1804
5⤵
- Program crash
PID:2776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 848
2⤵
- Program crash
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 3744
1⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 500
2⤵
- Program crash
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 3904
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3244 -ip 3244
1⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 508
2⤵
- Program crash
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4372 -ip 4372
1⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
1⤵
- Executes dropped EXE
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe
Filesize
383KB

MD5
56d9df4afbbaee34afb646e85fb4419d

SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542

SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c

SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll
Filesize
126KB

MD5
b74b2173abbc5a72d47143c1ba62c97c

SHA1
b8d17f4f90fbc3b1347c12caf844354b65184735

SHA256
8dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75

SHA512
ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll
Filesize
126KB

MD5
b74b2173abbc5a72d47143c1ba62c97c

SHA1
b8d17f4f90fbc3b1347c12caf844354b65184735

SHA256
8dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75

SHA512
ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac

Download Submit
memory/1156-140-0x0000000000000000-mapping.dmp

Download
memory/2780-141-0x0000000000000000-mapping.dmp

Download
memory/3120-164-0x0000000000000000-mapping.dmp

Download
memory/3244-162-0x0000000006A00000-0x0000000006A50000-memory.dmp

Filesize
320KB

Download
memory/3244-153-0x0000000000000000-mapping.dmp

Download
memory/3244-163-0x0000000006C50000-0x0000000006CEC000-memory.dmp

Filesize
624KB

Download
memory/3244-161-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/3244-160-0x0000000005C80000-0x0000000005D12000-memory.dmp

Filesize
584KB

Download
memory/3244-159-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/3244-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3460-137-0x00000000006CE000-0x00000000006EC000-memory.dmp

Filesize
120KB

Download
memory/3460-139-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3460-134-0x0000000000000000-mapping.dmp

Download
memory/3460-138-0x0000000000600000-0x0000000000638000-memory.dmp

Filesize
224KB

Download
memory/3744-131-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3744-133-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3744-132-0x0000000002210000-0x0000000002248000-memory.dmp

Filesize
224KB

Download
memory/3860-143-0x0000000000000000-mapping.dmp

Download
memory/3860-148-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3860-149-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3860-144-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3860-146-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3860-147-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3904-152-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3904-151-0x00000000006F4000-0x0000000000712000-memory.dmp

Filesize
120KB

Download
memory/4224-142-0x0000000000000000-mapping.dmp

Download
memory/4372-168-0x0000000000774000-0x0000000000792000-memory.dmp

Filesize
120KB

Download
memory/4372-169-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads