amadey | 47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36

Analysis

max time kernel
131s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2022 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

232KB
MD5

7b33b63bf2ee044adea84fec13b603b2
SHA1

3f1be9575126a2683b10f079ec835f09504a567f
SHA256

47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
SHA512

378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
SSDEEP

6144:4yfLbDpCpjAnCXJMpxXrEr2eTxJ/qsaXG:4yfXVWACXJMpxQCyCsY

Score

10^/10

amadey collection persistence spyware stealer trojan upx

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

66 5052 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

rovwer.exedron.exerovwer.exerovwer.exerovwer.exe

pid process

3220 rovwer.exe
1140 dron.exe
3632 rovwer.exe
1988 rovwer.exe
2152 rovwer.exe

flow	pid	process
66	5052	rundll32.exe

pid	process
3220	rovwer.exe
1140	dron.exe
3632	rovwer.exe
1988	rovwer.exe
2152	rovwer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe	upx
behavioral2/memory/1140-146-0x0000000000340000-0x0000000000B2B000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5052 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5052	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dron.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\dron.exe"	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
504	3196	WerFault.exe	file.exe
1304	3632	WerFault.exe	rovwer.exe
1860	1988	WerFault.exe	rovwer.exe
4312	2152	WerFault.exe	rovwer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 22 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

5052 rundll32.exe
5052 rundll32.exe
5052 rundll32.exe
5052 rundll32.exe

pid	process
1548	schtasks.exe

description	flow	ioc
HTTP User-Agent header	22	Go-http-client/1.1

pid	process
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

file.exerovwer.exe

description	pid	process	target process
PID 3196 wrote to memory of 3220	3196	file.exe	rovwer.exe
PID 3196 wrote to memory of 3220	3196	file.exe	rovwer.exe
PID 3196 wrote to memory of 3220	3196	file.exe	rovwer.exe
PID 3220 wrote to memory of 1548	3220	rovwer.exe	schtasks.exe
PID 3220 wrote to memory of 1548	3220	rovwer.exe	schtasks.exe
PID 3220 wrote to memory of 1548	3220	rovwer.exe	schtasks.exe
PID 3220 wrote to memory of 1140	3220	rovwer.exe	dron.exe
PID 3220 wrote to memory of 1140	3220	rovwer.exe	dron.exe
PID 3220 wrote to memory of 5052	3220	rovwer.exe	rundll32.exe
PID 3220 wrote to memory of 5052	3220	rovwer.exe	rundll32.exe
PID 3220 wrote to memory of 5052	3220	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:1548

C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe"
3⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1184
2⤵
- Program crash
PID:504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3196 -ip 3196
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 416
2⤵
- Program crash
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3632 -ip 3632
1⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 424
2⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1988 -ip 1988
1⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 420
2⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2152 -ip 2152
1⤵
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe
Filesize
2.8MB

MD5
6764e377307a024b31625984b2f07e1b

SHA1
835f032a815413da3612c994ed99737dea56bf82

SHA256
df382046dd17766213b03aaa054c1e6bd52754779020802189f6db5003941781

SHA512
5639fb391a28f228799a4b3cdb84d0348df13ea74643199553e92ad33e80e3e5ac287dd34a68f7601543ad87fdf9d2b7111b671dc9a62c3ba592e441ba8b9a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe
Filesize
2.8MB

MD5
6764e377307a024b31625984b2f07e1b

SHA1
835f032a815413da3612c994ed99737dea56bf82

SHA256
df382046dd17766213b03aaa054c1e6bd52754779020802189f6db5003941781

SHA512
5639fb391a28f228799a4b3cdb84d0348df13ea74643199553e92ad33e80e3e5ac287dd34a68f7601543ad87fdf9d2b7111b671dc9a62c3ba592e441ba8b9a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
232KB

MD5
7b33b63bf2ee044adea84fec13b603b2

SHA1
3f1be9575126a2683b10f079ec835f09504a567f

SHA256
47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36

SHA512
378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
232KB

MD5
7b33b63bf2ee044adea84fec13b603b2

SHA1
3f1be9575126a2683b10f079ec835f09504a567f

SHA256
47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36

SHA512
378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
232KB

MD5
7b33b63bf2ee044adea84fec13b603b2

SHA1
3f1be9575126a2683b10f079ec835f09504a567f

SHA256
47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36

SHA512
378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
232KB

MD5
7b33b63bf2ee044adea84fec13b603b2

SHA1
3f1be9575126a2683b10f079ec835f09504a567f

SHA256
47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36

SHA512
378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
232KB

MD5
7b33b63bf2ee044adea84fec13b603b2

SHA1
3f1be9575126a2683b10f079ec835f09504a567f

SHA256
47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36

SHA512
378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/1140-146-0x0000000000340000-0x0000000000B2B000-memory.dmp

Filesize
7.9MB

Download
memory/1140-143-0x0000000000000000-mapping.dmp

Download
memory/1548-138-0x0000000000000000-mapping.dmp

Download
memory/1988-156-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1988-155-0x000000000077C000-0x000000000079B000-memory.dmp

Filesize
124KB

Download
memory/2152-159-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2152-158-0x000000000089C000-0x00000000008BB000-memory.dmp

Filesize
124KB

Download
memory/3196-134-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3196-139-0x00000000008B9000-0x00000000008D8000-memory.dmp

Filesize
124KB

Download
memory/3196-133-0x0000000000850000-0x000000000088E000-memory.dmp

Filesize
248KB

Download
memory/3196-132-0x00000000008B9000-0x00000000008D8000-memory.dmp

Filesize
124KB

Download
memory/3196-140-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3220-150-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3220-135-0x0000000000000000-mapping.dmp

Download
memory/3220-141-0x0000000000718000-0x0000000000737000-memory.dmp

Filesize
124KB

Download
memory/3220-142-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3632-149-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3632-148-0x000000000081C000-0x000000000083B000-memory.dmp

Filesize
124KB

Download
memory/5052-151-0x0000000000000000-mapping.dmp

Download