amadey | b4322fc8b118306536700ee32176a93f65e6ab49c30a9176e1513d19c062fb2f

Analysis

max time kernel
146s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe
Size

220KB
MD5

ea28c15e9af2a55f313039ed3110b691
SHA1

19fc1b7b60964e3c7033b1e94b5f3adea7cc989e
SHA256

009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1
SHA512

145d4756147f2dcf471a04b12987117e17f1a54b6b1f24ad447f6182886c4d87b5fe65b4f7aa95c1a6aa169b39810230dfee404d4d302ca0d6fcb9269e56269e
SSDEEP

3072:e1jMJDdlipHtrpd54QTSdUkqVYxQnQ2Dv/Ym2ZVL6Y4+Sv8ngNGNwtrxZfFSBZ1Z:cKDdItd+XqVYegy5+yb9Kvp7cd

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e5a3-154.dat	amadey_cred_module
behavioral2/files/0x000400000001e5a3-155.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
36	3404	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3664	rovwer.exe
1420	rovwer.exe
5016	rovwer.exe
4896	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 1 IoCs

pid	Process
3404	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3692	3400	WerFault.exe	82
1720	1420	WerFault.exe	102
4328	5016	WerFault.exe	107
1524	4896	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 3664	3400	009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe	86
PID 3400 wrote to memory of 3664	3400	009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe	86
PID 3400 wrote to memory of 3664	3400	009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe	86
PID 3664 wrote to memory of 4956	3664	rovwer.exe	90
PID 3664 wrote to memory of 4956	3664	rovwer.exe	90
PID 3664 wrote to memory of 4956	3664	rovwer.exe	90
PID 3664 wrote to memory of 4136	3664	rovwer.exe	92
PID 3664 wrote to memory of 4136	3664	rovwer.exe	92
PID 3664 wrote to memory of 4136	3664	rovwer.exe	92
PID 4136 wrote to memory of 312	4136	cmd.exe	94
PID 4136 wrote to memory of 312	4136	cmd.exe	94
PID 4136 wrote to memory of 312	4136	cmd.exe	94
PID 4136 wrote to memory of 4268	4136	cmd.exe	95
PID 4136 wrote to memory of 4268	4136	cmd.exe	95
PID 4136 wrote to memory of 4268	4136	cmd.exe	95
PID 4136 wrote to memory of 4656	4136	cmd.exe	96
PID 4136 wrote to memory of 4656	4136	cmd.exe	96
PID 4136 wrote to memory of 4656	4136	cmd.exe	96
PID 4136 wrote to memory of 408	4136	cmd.exe	99
PID 4136 wrote to memory of 408	4136	cmd.exe	99
PID 4136 wrote to memory of 408	4136	cmd.exe	99
PID 4136 wrote to memory of 4172	4136	cmd.exe	98
PID 4136 wrote to memory of 4172	4136	cmd.exe	98
PID 4136 wrote to memory of 4172	4136	cmd.exe	98
PID 4136 wrote to memory of 4112	4136	cmd.exe	97
PID 4136 wrote to memory of 4112	4136	cmd.exe	97
PID 4136 wrote to memory of 4112	4136	cmd.exe	97
PID 3664 wrote to memory of 3404	3664	rovwer.exe	106
PID 3664 wrote to memory of 3404	3664	rovwer.exe	106
PID 3664 wrote to memory of 3404	3664	rovwer.exe	106

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe
"C:\Users\Admin\AppData\Local\Temp\009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rovwer.exe" /P "Admin:N"
      4⤵
      PID:4268
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rovwer.exe" /P "Admin:R" /E
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\99e342142d" /P "Admin:R" /E
      4⤵
      PID:4112
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\99e342142d" /P "Admin:N"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:408
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 908
  2⤵
  - Program crash
  PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3400 -ip 3400
1⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:1420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 416
  2⤵
  - Program crash
  PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1420 -ip 1420
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 424
  2⤵
  - Program crash
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5016 -ip 5016
1⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 416
  2⤵
  - Program crash
  PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4896 -ip 4896
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
220KB

MD5
ea28c15e9af2a55f313039ed3110b691

SHA1
19fc1b7b60964e3c7033b1e94b5f3adea7cc989e

SHA256
009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1

SHA512
145d4756147f2dcf471a04b12987117e17f1a54b6b1f24ad447f6182886c4d87b5fe65b4f7aa95c1a6aa169b39810230dfee404d4d302ca0d6fcb9269e56269e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
220KB

MD5
ea28c15e9af2a55f313039ed3110b691

SHA1
19fc1b7b60964e3c7033b1e94b5f3adea7cc989e

SHA256
009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1

SHA512
145d4756147f2dcf471a04b12987117e17f1a54b6b1f24ad447f6182886c4d87b5fe65b4f7aa95c1a6aa169b39810230dfee404d4d302ca0d6fcb9269e56269e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
220KB

MD5
ea28c15e9af2a55f313039ed3110b691

SHA1
19fc1b7b60964e3c7033b1e94b5f3adea7cc989e

SHA256
009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1

SHA512
145d4756147f2dcf471a04b12987117e17f1a54b6b1f24ad447f6182886c4d87b5fe65b4f7aa95c1a6aa169b39810230dfee404d4d302ca0d6fcb9269e56269e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
220KB

MD5
ea28c15e9af2a55f313039ed3110b691

SHA1
19fc1b7b60964e3c7033b1e94b5f3adea7cc989e

SHA256
009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1

SHA512
145d4756147f2dcf471a04b12987117e17f1a54b6b1f24ad447f6182886c4d87b5fe65b4f7aa95c1a6aa169b39810230dfee404d4d302ca0d6fcb9269e56269e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
220KB

MD5
ea28c15e9af2a55f313039ed3110b691

SHA1
19fc1b7b60964e3c7033b1e94b5f3adea7cc989e

SHA256
009adc2d6239a57f51e0e6add913c5c050817274ee9becafd713e8ce243d34c1

SHA512
145d4756147f2dcf471a04b12987117e17f1a54b6b1f24ad447f6182886c4d87b5fe65b4f7aa95c1a6aa169b39810230dfee404d4d302ca0d6fcb9269e56269e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
memory/1420-152-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1420-151-0x000000000088C000-0x00000000008AB000-memory.dmp

Filesize
124KB

Download
memory/3400-137-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3400-136-0x00000000021C0000-0x00000000021FE000-memory.dmp

Filesize
248KB

Download
memory/3400-135-0x0000000000608000-0x0000000000627000-memory.dmp

Filesize
124KB

Download
memory/3664-146-0x0000000000798000-0x00000000007B7000-memory.dmp

Filesize
124KB

Download
memory/3664-149-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3664-147-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/3664-148-0x0000000000798000-0x00000000007B7000-memory.dmp

Filesize
124KB

Download
memory/4896-160-0x00000000007BC000-0x00000000007DB000-memory.dmp

Filesize
124KB

Download
memory/4896-161-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/5016-157-0x00000000005EC000-0x000000000060B000-memory.dmp

Filesize
124KB

Download
memory/5016-158-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download