amadey | 9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-06-2022 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe
Size

250KB
MD5

b58edea3459e74011c931739ad7345f3
SHA1

6b11a3c10e081dd63201abbf65bacb206e054240
SHA256

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad
SHA512

ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Score

10^/10

amadey recordbreaker collection persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.21

antispam-screen.com/fjgD555c3/index.php

soul-kissed.org/fjgD555c3/index.php

rupeika.info/fjgD555c3/index.php

Extracted

Family

recordbreaker

http://179.43.154.171

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023157-159.dat	amadey_cred_module
behavioral2/files/0x0008000000023157-160.dat	amadey_cred_module
behavioral2/files/0x0008000000023157-158.dat	amadey_cred_module
behavioral2/files/0x0008000000023157-162.dat	amadey_cred_module

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow	pid	Process
55	3696	rundll32.exe
57	3696	rundll32.exe
59	3696	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

Processes:

bguuwe.exedaemon.exeAddInProcess32.exebguuwe.exebguuwe.exe

pid	Process
4264	bguuwe.exe
1640	daemon.exe
1548	AddInProcess32.exe
2872	bguuwe.exe
3768	bguuwe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exebguuwe.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	bguuwe.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid	Process
5016	rundll32.exe
3696	rundll32.exe
4764	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bguuwe.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000012000\\daemon.exe"	bguuwe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

daemon.exe

description	pid	Process	procid_target
PID 1640 set thread context of 1548	1640	daemon.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4860	1548	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
2188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

daemon.exerundll32.exe

pid	Process
1640	daemon.exe
1640	daemon.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

daemon.exe

description	pid	Process
Token: SeDebugPrivilege	1640	daemon.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exebguuwe.execmd.exedaemon.exe

description	pid	Process	procid_target
PID 4132 wrote to memory of 4264	4132	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	80
PID 4132 wrote to memory of 4264	4132	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	80
PID 4132 wrote to memory of 4264	4132	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	80
PID 4264 wrote to memory of 4300	4264	bguuwe.exe	81
PID 4264 wrote to memory of 4300	4264	bguuwe.exe	81
PID 4264 wrote to memory of 4300	4264	bguuwe.exe	81
PID 4264 wrote to memory of 2188	4264	bguuwe.exe	83
PID 4264 wrote to memory of 2188	4264	bguuwe.exe	83
PID 4264 wrote to memory of 2188	4264	bguuwe.exe	83
PID 4300 wrote to memory of 4700	4300	cmd.exe	85
PID 4300 wrote to memory of 4700	4300	cmd.exe	85
PID 4300 wrote to memory of 4700	4300	cmd.exe	85
PID 4264 wrote to memory of 1640	4264	bguuwe.exe	90
PID 4264 wrote to memory of 1640	4264	bguuwe.exe	90
PID 4264 wrote to memory of 1640	4264	bguuwe.exe	90
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 1640 wrote to memory of 1548	1640	daemon.exe	96
PID 4264 wrote to memory of 5016	4264	bguuwe.exe	102
PID 4264 wrote to memory of 5016	4264	bguuwe.exe	102
PID 4264 wrote to memory of 5016	4264	bguuwe.exe	102
PID 4264 wrote to memory of 3696	4264	bguuwe.exe	103
PID 4264 wrote to memory of 3696	4264	bguuwe.exe	103
PID 4264 wrote to memory of 3696	4264	bguuwe.exe	103
PID 4264 wrote to memory of 4764	4264	bguuwe.exe	104
PID 4264 wrote to memory of 4764	4264	bguuwe.exe	104
PID 4264 wrote to memory of 4764	4264	bguuwe.exe	104

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe
"C:\Users\Admin\AppData\Local\Temp\9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
  "C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\74480db1f5\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\74480db1f5\
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2188
- - C:\Users\Admin\AppData\Roaming\1000012000\daemon.exe
    "C:\Users\Admin\AppData\Roaming\1000012000\daemon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
      4⤵
      Executes dropped EXE
      PID:1548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 208
        5⤵
        Program crash
        
        PID:4860
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5016
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:3696
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1548 -ip 1548
1⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
1⤵
- Executes dropped EXE
PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Roaming\1000012000\daemon.exe

Filesize
441KB

MD5
714a716babb6ac6acebeceb3cf0d4d72

SHA1
29aba676be8532489c96215c97e87dc059aceb00

SHA256
53258305071b5d44742eee6a7b3a55d011201072e59bc260eeaba8ca74b9325f

SHA512
200b4e6f47540b4b81de6cf21d0a2201572bb4f621e22f4f09d20dc2a1889dfaf247b34bdfd4ab6dff0090f729d7ee9bc79b397d1a48aeeefcd62e8b2c072db4

Download Submit
C:\Users\Admin\AppData\Roaming\1000012000\daemon.exe

Filesize
441KB

MD5
714a716babb6ac6acebeceb3cf0d4d72

SHA1
29aba676be8532489c96215c97e87dc059aceb00

SHA256
53258305071b5d44742eee6a7b3a55d011201072e59bc260eeaba8ca74b9325f

SHA512
200b4e6f47540b4b81de6cf21d0a2201572bb4f621e22f4f09d20dc2a1889dfaf247b34bdfd4ab6dff0090f729d7ee9bc79b397d1a48aeeefcd62e8b2c072db4

Download Submit
C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll

Filesize
126KB

MD5
c20886a70c9ca1f5e2cfb1ea240ad725

SHA1
84bae1db77008a88fdedbce3e93c730a0974054e

SHA256
48ccc63c07a805daa0167031737d97962a374f0a941cb4cbb9742474ecdf00ad

SHA512
f52668445e0fb89aeb505f1f6a7b8fdba30743789364efee29121e9aaeac0be178d71e320c5f19384b0b54efe17213e33ec3994ba1a12b832b1ef551d89345b1

Download Submit
C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll

Filesize
126KB

MD5
c20886a70c9ca1f5e2cfb1ea240ad725

SHA1
84bae1db77008a88fdedbce3e93c730a0974054e

SHA256
48ccc63c07a805daa0167031737d97962a374f0a941cb4cbb9742474ecdf00ad

SHA512
f52668445e0fb89aeb505f1f6a7b8fdba30743789364efee29121e9aaeac0be178d71e320c5f19384b0b54efe17213e33ec3994ba1a12b832b1ef551d89345b1

Download Submit
C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll

Filesize
126KB

MD5
c20886a70c9ca1f5e2cfb1ea240ad725

SHA1
84bae1db77008a88fdedbce3e93c730a0974054e

SHA256
48ccc63c07a805daa0167031737d97962a374f0a941cb4cbb9742474ecdf00ad

SHA512
f52668445e0fb89aeb505f1f6a7b8fdba30743789364efee29121e9aaeac0be178d71e320c5f19384b0b54efe17213e33ec3994ba1a12b832b1ef551d89345b1

Download Submit
C:\Users\Admin\AppData\Roaming\df455aeb1f62d5\cred.dll

Filesize
126KB

MD5
c20886a70c9ca1f5e2cfb1ea240ad725

SHA1
84bae1db77008a88fdedbce3e93c730a0974054e

SHA256
48ccc63c07a805daa0167031737d97962a374f0a941cb4cbb9742474ecdf00ad

SHA512
f52668445e0fb89aeb505f1f6a7b8fdba30743789364efee29121e9aaeac0be178d71e320c5f19384b0b54efe17213e33ec3994ba1a12b832b1ef551d89345b1

Download Submit
memory/1548-145-0x0000000000000000-mapping.dmp

Download
memory/1548-154-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1548-151-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1548-148-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1640-144-0x000000000E060000-0x000000000E082000-memory.dmp

Filesize
136KB

Download
memory/1640-139-0x0000000000110000-0x0000000000184000-memory.dmp

Filesize
464KB

Download
memory/1640-143-0x0000000006330000-0x000000000633A000-memory.dmp

Filesize
40KB

Download
memory/1640-142-0x0000000005D90000-0x0000000005E22000-memory.dmp

Filesize
584KB

Download
memory/1640-141-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/1640-140-0x0000000004A80000-0x0000000004B1C000-memory.dmp

Filesize
624KB

Download
memory/1640-136-0x0000000000000000-mapping.dmp

Download
memory/2188-134-0x0000000000000000-mapping.dmp

Download
memory/3696-157-0x0000000000000000-mapping.dmp

Download
memory/4264-130-0x0000000000000000-mapping.dmp

Download
memory/4300-133-0x0000000000000000-mapping.dmp

Download
memory/4700-135-0x0000000000000000-mapping.dmp

Download
memory/4764-161-0x0000000000000000-mapping.dmp

Download
memory/5016-156-0x0000000000000000-mapping.dmp

Download