amadey | eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba

General

Target

fcd520e66c1d5395d3d03dabd4f7f92e.exe
Size

402KB
MD5

fcd520e66c1d5395d3d03dabd4f7f92e
SHA1

870348a40c0f06d6c222b8e0ffc4ddcad2e510bf
SHA256

eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba
SHA512

3077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601
SSDEEP

6144:F5aWaLr2KM18ijRjqaqnS5KIrqthzdKOJAkDHcM6++ra9n:iLOKM1t7qna7kqtkDI+6

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

46 4400 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rovwer.exerovwer.exerovwer.exe

pid process

3448 rovwer.exe
1520 rovwer.exe
1596 rovwer.exe

flow	pid	process
46	4400	rundll32.exe

pid	process
3448	rovwer.exe
1520	rovwer.exe
1596	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fcd520e66c1d5395d3d03dabd4f7f92e.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fcd520e66c1d5395d3d03dabd4f7f92e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4400 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4400	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5012 1436 WerFault.exe fcd520e66c1d5395d3d03dabd4f7f92e.exe
208 1520 WerFault.exe rovwer.exe
980 1596 WerFault.exe rovwer.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4912 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4400 rundll32.exe
4400 rundll32.exe
4400 rundll32.exe
4400 rundll32.exe

pid	pid_target	process	target process
5012	1436	WerFault.exe	fcd520e66c1d5395d3d03dabd4f7f92e.exe
208	1520	WerFault.exe	rovwer.exe
980	1596	WerFault.exe	rovwer.exe

pid	process
4912	schtasks.exe

pid	process
4400	rundll32.exe
4400	rundll32.exe
4400	rundll32.exe
4400	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fcd520e66c1d5395d3d03dabd4f7f92e.exerovwer.exe

description	pid	process	target process
PID 1436 wrote to memory of 3448	1436	fcd520e66c1d5395d3d03dabd4f7f92e.exe	rovwer.exe
PID 1436 wrote to memory of 3448	1436	fcd520e66c1d5395d3d03dabd4f7f92e.exe	rovwer.exe
PID 1436 wrote to memory of 3448	1436	fcd520e66c1d5395d3d03dabd4f7f92e.exe	rovwer.exe
PID 3448 wrote to memory of 4912	3448	rovwer.exe	schtasks.exe
PID 3448 wrote to memory of 4912	3448	rovwer.exe	schtasks.exe
PID 3448 wrote to memory of 4912	3448	rovwer.exe	schtasks.exe
PID 3448 wrote to memory of 4400	3448	rovwer.exe	rundll32.exe
PID 3448 wrote to memory of 4400	3448	rovwer.exe	rundll32.exe
PID 3448 wrote to memory of 4400	3448	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\fcd520e66c1d5395d3d03dabd4f7f92e.exe
"C:\Users\Admin\AppData\Local\Temp\fcd520e66c1d5395d3d03dabd4f7f92e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 896
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1436 -ip 1436
1⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 420
2⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1520 -ip 1520
1⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 420
2⤵
- Program crash
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1596 -ip 1596
1⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
402KB

MD5
fcd520e66c1d5395d3d03dabd4f7f92e

SHA1
870348a40c0f06d6c222b8e0ffc4ddcad2e510bf

SHA256
eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba

SHA512
3077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
402KB

MD5
fcd520e66c1d5395d3d03dabd4f7f92e

SHA1
870348a40c0f06d6c222b8e0ffc4ddcad2e510bf

SHA256
eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba

SHA512
3077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
402KB

MD5
fcd520e66c1d5395d3d03dabd4f7f92e

SHA1
870348a40c0f06d6c222b8e0ffc4ddcad2e510bf

SHA256
eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba

SHA512
3077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
402KB

MD5
fcd520e66c1d5395d3d03dabd4f7f92e

SHA1
870348a40c0f06d6c222b8e0ffc4ddcad2e510bf

SHA256
eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba

SHA512
3077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
memory/1436-133-0x00000000024B0000-0x00000000024EE000-memory.dmp

Filesize
248KB

Download
memory/1436-134-0x0000000000400000-0x0000000000868000-memory.dmp

Filesize
4.4MB

Download
memory/1436-132-0x00000000009AB000-0x00000000009CA000-memory.dmp

Filesize
124KB

Download
memory/1436-141-0x00000000009AB000-0x00000000009CA000-memory.dmp

Filesize
124KB

Download
memory/1436-142-0x0000000000400000-0x0000000000868000-memory.dmp

Filesize
4.4MB

Download
memory/1520-147-0x0000000000400000-0x0000000000868000-memory.dmp

Filesize
4.4MB

Download
memory/1520-146-0x00000000009CE000-0x00000000009ED000-memory.dmp

Filesize
124KB

Download
memory/1596-152-0x0000000000B1E000-0x0000000000B3D000-memory.dmp

Filesize
124KB

Download
memory/1596-153-0x0000000000400000-0x0000000000868000-memory.dmp

Filesize
4.4MB

Download
memory/3448-144-0x0000000000400000-0x0000000000868000-memory.dmp

Filesize
4.4MB

Download
memory/3448-143-0x000000000091A000-0x0000000000939000-memory.dmp

Filesize
124KB

Download
memory/3448-140-0x0000000000400000-0x0000000000868000-memory.dmp

Filesize
4.4MB

Download
memory/3448-139-0x000000000091A000-0x0000000000939000-memory.dmp

Filesize
124KB

Download
memory/3448-135-0x0000000000000000-mapping.dmp

Download
memory/4400-148-0x0000000000000000-mapping.dmp

Download
memory/4912-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads