amadey | 5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

General

Target

a12b477f3a02a42eeae121a8ce166030.exe
Size

242KB
MD5

a12b477f3a02a42eeae121a8ce166030
SHA1

31a368c8958fd1a8f8f18058b3e2133d0f55ba8a
SHA256

5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
SHA512

6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374
SSDEEP

3072:gZs1Re5JHklkmbUA4b9LKBEjMFcekSGVL/aNvpEQiYif1/ZR:LQmbZ45KBEjZdSGVLlOiP

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
behavioral2/memory/1824-159-0x0000000001350000-0x0000000001374000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

28 1824 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rovwer.exerovwer.exerovwer.exe

pid process

4264 rovwer.exe
3116 rovwer.exe
1756 rovwer.exe

flow	pid	process
28	1824	rundll32.exe

pid	process
4264	rovwer.exe
3116	rovwer.exe
1756	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a12b477f3a02a42eeae121a8ce166030.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a12b477f3a02a42eeae121a8ce166030.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1824 rundll32.exe
1824 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1824	rundll32.exe
1824	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1976	2596	WerFault.exe	a12b477f3a02a42eeae121a8ce166030.exe
4728	3116	WerFault.exe	rovwer.exe
892	1756	WerFault.exe	rovwer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4796 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1824 rundll32.exe
1824 rundll32.exe
1824 rundll32.exe
1824 rundll32.exe

pid	process
4796	schtasks.exe

pid	process
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a12b477f3a02a42eeae121a8ce166030.exerovwer.execmd.exe

description	pid	process	target process
PID 2596 wrote to memory of 4264	2596	a12b477f3a02a42eeae121a8ce166030.exe	rovwer.exe
PID 2596 wrote to memory of 4264	2596	a12b477f3a02a42eeae121a8ce166030.exe	rovwer.exe
PID 2596 wrote to memory of 4264	2596	a12b477f3a02a42eeae121a8ce166030.exe	rovwer.exe
PID 4264 wrote to memory of 4796	4264	rovwer.exe	schtasks.exe
PID 4264 wrote to memory of 4796	4264	rovwer.exe	schtasks.exe
PID 4264 wrote to memory of 4796	4264	rovwer.exe	schtasks.exe
PID 4264 wrote to memory of 2752	4264	rovwer.exe	cmd.exe
PID 4264 wrote to memory of 2752	4264	rovwer.exe	cmd.exe
PID 4264 wrote to memory of 2752	4264	rovwer.exe	cmd.exe
PID 2752 wrote to memory of 1632	2752	cmd.exe	cmd.exe
PID 2752 wrote to memory of 1632	2752	cmd.exe	cmd.exe
PID 2752 wrote to memory of 1632	2752	cmd.exe	cmd.exe
PID 2752 wrote to memory of 1804	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 1804	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 1804	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 4408	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 4408	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 4408	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 4288	2752	cmd.exe	cmd.exe
PID 2752 wrote to memory of 4288	2752	cmd.exe	cmd.exe
PID 2752 wrote to memory of 4288	2752	cmd.exe	cmd.exe
PID 2752 wrote to memory of 3500	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 3500	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 3500	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 5108	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 5108	2752	cmd.exe	cacls.exe
PID 2752 wrote to memory of 5108	2752	cmd.exe	cacls.exe
PID 4264 wrote to memory of 1824	4264	rovwer.exe	rundll32.exe
PID 4264 wrote to memory of 1824	4264	rovwer.exe	rundll32.exe
PID 4264 wrote to memory of 1824	4264	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\a12b477f3a02a42eeae121a8ce166030.exe
"C:\Users\Admin\AppData\Local\Temp\a12b477f3a02a42eeae121a8ce166030.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1632

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:1804

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4288

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:3500

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:5108

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 908
2⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2596 -ip 2596
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 216
2⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3116 -ip 3116
1⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 424
2⤵
- Program crash
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1756 -ip 1756
1⤵
PID:3528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
242KB

MD5
a12b477f3a02a42eeae121a8ce166030

SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a

SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c

SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/1632-142-0x0000000000000000-mapping.dmp

Download
memory/1756-161-0x000000000079C000-0x00000000007BB000-memory.dmp

Filesize
124KB

Download
memory/1756-162-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/1804-143-0x0000000000000000-mapping.dmp

Download
memory/1824-159-0x0000000001350000-0x0000000001374000-memory.dmp

Filesize
144KB

Download
memory/1824-155-0x0000000000000000-mapping.dmp

Download
memory/2596-133-0x0000000000840000-0x000000000087E000-memory.dmp

Filesize
248KB

Download
memory/2596-139-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2596-138-0x00000000008D8000-0x00000000008F7000-memory.dmp

Filesize
124KB

Download
memory/2596-134-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2596-132-0x00000000008D8000-0x00000000008F7000-memory.dmp

Filesize
124KB

Download
memory/2752-141-0x0000000000000000-mapping.dmp

Download
memory/3116-153-0x000000000090C000-0x000000000092B000-memory.dmp

Filesize
124KB

Download
memory/3116-154-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/3500-146-0x0000000000000000-mapping.dmp

Download
memory/4264-151-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4264-150-0x0000000000778000-0x0000000000797000-memory.dmp

Filesize
124KB

Download
memory/4264-149-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/4264-148-0x0000000000778000-0x0000000000797000-memory.dmp

Filesize
124KB

Download
memory/4264-135-0x0000000000000000-mapping.dmp

Download
memory/4288-145-0x0000000000000000-mapping.dmp

Download
memory/4408-144-0x0000000000000000-mapping.dmp

Download
memory/4796-140-0x0000000000000000-mapping.dmp

Download
memory/5108-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads