amadey | 25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed

General

Target

bff15961c6100bf76db0f20f434cd069.exe
Size

221KB
MD5

bff15961c6100bf76db0f20f434cd069
SHA1

7ffcc4359779c74ca2b78526acbfbd147b097de1
SHA256

25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
SHA512

f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6
SSDEEP

6144:m8eY52kweddYIRDvxw4rjloyF8ICap6rx:m8efkw+YIRDZGna4

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

57 4296 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rovwer.exerovwer.exerovwer.exe

pid process

2312 rovwer.exe
2348 rovwer.exe
652 rovwer.exe

flow	pid	process
57	4296	rundll32.exe

pid	process
2312	rovwer.exe
2348	rovwer.exe
652	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rovwer.exebff15961c6100bf76db0f20f434cd069.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	bff15961c6100bf76db0f20f434cd069.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4296 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4296	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2592 368 WerFault.exe bff15961c6100bf76db0f20f434cd069.exe
1420 2348 WerFault.exe rovwer.exe
648 652 WerFault.exe rovwer.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

936 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

4296 rundll32.exe
4296 rundll32.exe
4296 rundll32.exe
4296 rundll32.exe

pid	pid_target	process	target process
2592	368	WerFault.exe	bff15961c6100bf76db0f20f434cd069.exe
1420	2348	WerFault.exe	rovwer.exe
648	652	WerFault.exe	rovwer.exe

pid	process
936	schtasks.exe

pid	process
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe
4296	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

bff15961c6100bf76db0f20f434cd069.exerovwer.execmd.exe

description	pid	process	target process
PID 368 wrote to memory of 2312	368	bff15961c6100bf76db0f20f434cd069.exe	rovwer.exe
PID 368 wrote to memory of 2312	368	bff15961c6100bf76db0f20f434cd069.exe	rovwer.exe
PID 368 wrote to memory of 2312	368	bff15961c6100bf76db0f20f434cd069.exe	rovwer.exe
PID 2312 wrote to memory of 936	2312	rovwer.exe	schtasks.exe
PID 2312 wrote to memory of 936	2312	rovwer.exe	schtasks.exe
PID 2312 wrote to memory of 936	2312	rovwer.exe	schtasks.exe
PID 2312 wrote to memory of 1620	2312	rovwer.exe	cmd.exe
PID 2312 wrote to memory of 1620	2312	rovwer.exe	cmd.exe
PID 2312 wrote to memory of 1620	2312	rovwer.exe	cmd.exe
PID 1620 wrote to memory of 5076	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 5076	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 5076	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 3416	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 3416	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 3416	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 4492	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 4492	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 4492	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 1360	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 1360	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 1360	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 1744	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 1744	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 1744	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 3864	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 3864	1620	cmd.exe	cacls.exe
PID 1620 wrote to memory of 3864	1620	cmd.exe	cacls.exe
PID 2312 wrote to memory of 4296	2312	rovwer.exe	rundll32.exe
PID 2312 wrote to memory of 4296	2312	rovwer.exe	rundll32.exe
PID 2312 wrote to memory of 4296	2312	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bff15961c6100bf76db0f20f434cd069.exe
"C:\Users\Admin\AppData\Local\Temp\bff15961c6100bf76db0f20f434cd069.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5076

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:3416

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1360

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:1744

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:3864

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 900
2⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 368 -ip 368
1⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 416
2⤵
- Program crash
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2348 -ip 2348
1⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 416
2⤵
- Program crash
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 652 -ip 652
1⤵
PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
221KB

MD5
bff15961c6100bf76db0f20f434cd069

SHA1
7ffcc4359779c74ca2b78526acbfbd147b097de1

SHA256
25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed

SHA512
f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
221KB

MD5
bff15961c6100bf76db0f20f434cd069

SHA1
7ffcc4359779c74ca2b78526acbfbd147b097de1

SHA256
25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed

SHA512
f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
221KB

MD5
bff15961c6100bf76db0f20f434cd069

SHA1
7ffcc4359779c74ca2b78526acbfbd147b097de1

SHA256
25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed

SHA512
f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
221KB

MD5
bff15961c6100bf76db0f20f434cd069

SHA1
7ffcc4359779c74ca2b78526acbfbd147b097de1

SHA256
25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed

SHA512
f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/368-133-0x00000000022D0000-0x000000000230E000-memory.dmp

Filesize
248KB

Download
memory/368-134-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/368-150-0x0000000000608000-0x0000000000627000-memory.dmp

Filesize
124KB

Download
memory/368-151-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/368-132-0x0000000000608000-0x0000000000627000-memory.dmp

Filesize
124KB

Download
memory/652-160-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/652-159-0x000000000061C000-0x000000000063B000-memory.dmp

Filesize
124KB

Download
memory/936-138-0x0000000000000000-mapping.dmp

Download
memory/1360-145-0x0000000000000000-mapping.dmp

Download
memory/1620-141-0x0000000000000000-mapping.dmp

Download
memory/1744-146-0x0000000000000000-mapping.dmp

Download
memory/2312-139-0x00000000007F8000-0x0000000000817000-memory.dmp

Filesize
124KB

Download
memory/2312-149-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2312-148-0x00000000007F8000-0x0000000000817000-memory.dmp

Filesize
124KB

Download
memory/2312-140-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2312-135-0x0000000000000000-mapping.dmp

Download
memory/2348-153-0x00000000005BC000-0x00000000005DB000-memory.dmp

Filesize
124KB

Download
memory/2348-154-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3416-143-0x0000000000000000-mapping.dmp

Download
memory/3864-147-0x0000000000000000-mapping.dmp

Download
memory/4296-155-0x0000000000000000-mapping.dmp

Download
memory/4492-144-0x0000000000000000-mapping.dmp

Download
memory/5076-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads