amadey | 26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae

Analysis

max time kernel
117s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2022, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

338KB
MD5

fe641225d44e5c64bac142415f5e2ca9
SHA1

bb52078f856857af809aab239b5462da2e0e9e39
SHA256

26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae
SHA512

be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276
SSDEEP

6144:CWUH4LEwjG5BeT56lcqeMy8v3lbviynvyh8slw7n1HbwZoV9J:2YowjG58ycl+lxnqh80w7

Score

10^/10

amadey collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.63

62.204.41.17/8bdSvcD/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

resource	yara_rule
behavioral2/files/0x000b00000001f020-149.dat	amadey_cred_module
behavioral2/memory/3740-152-0x0000000000610000-0x0000000000634000-memory.dmp	amadey_cred_module
behavioral2/files/0x000b00000001f020-151.dat	amadey_cred_module
behavioral2/files/0x000b00000001f020-150.dat	amadey_cred_module

Blocklisted process makes network request 1 IoCs

flow	pid	Process
40	3740	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
2324	nbveek.exe
4364	nbveek.exe
3652	nbveek.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	nbveek.exe

Loads dropped DLL 2 IoCs

pid	Process
3740	rundll32.exe
3740	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 24 IoCs

pid	pid_target	Process	procid_target
796	4864	WerFault.exe	81
5112	4864	WerFault.exe	81
5076	4864	WerFault.exe	81
2208	4864	WerFault.exe	81
3116	4864	WerFault.exe	81
220	4864	WerFault.exe	81
3108	4864	WerFault.exe	81
1100	2324	WerFault.exe	97
3840	2324	WerFault.exe	97
3936	2324	WerFault.exe	97
3960	2324	WerFault.exe	97
4412	2324	WerFault.exe	97
3584	2324	WerFault.exe	97
4084	2324	WerFault.exe	97
920	2324	WerFault.exe	97
4228	2324	WerFault.exe	97
524	2324	WerFault.exe	97
4768	2324	WerFault.exe	97
3804	2324	WerFault.exe	97
3908	4364	WerFault.exe	130
1008	2324	WerFault.exe	97
616	2324	WerFault.exe	97
5108	2324	WerFault.exe	97
2636	3652	WerFault.exe	140

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3740	rundll32.exe
3740	rundll32.exe
3740	rundll32.exe
3740	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2324	4864	file.exe	97
PID 4864 wrote to memory of 2324	4864	file.exe	97
PID 4864 wrote to memory of 2324	4864	file.exe	97
PID 2324 wrote to memory of 1992	2324	nbveek.exe	117
PID 2324 wrote to memory of 1992	2324	nbveek.exe	117
PID 2324 wrote to memory of 1992	2324	nbveek.exe	117
PID 2324 wrote to memory of 3740	2324	nbveek.exe	135
PID 2324 wrote to memory of 3740	2324	nbveek.exe	135
PID 2324 wrote to memory of 3740	2324	nbveek.exe	135

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 896
  2⤵
  - Program crash
  PID:796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 924
  2⤵
  - Program crash
  PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 908
  2⤵
  - Program crash
  PID:5076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1076
  2⤵
  - Program crash
  PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 900
  2⤵
  - Program crash
  PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 924
  2⤵
  - Program crash
  PID:220
- C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 584
    3⤵
    - Program crash
    PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 708
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 784
    3⤵
    - Program crash
    PID:3936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 952
    3⤵
    - Program crash
    PID:3960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 952
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 952
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1020
    3⤵
    - Program crash
    PID:4084
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 912
    3⤵
    - Program crash
    PID:920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 668
    3⤵
    - Program crash
    PID:4228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 652
    3⤵
    - Program crash
    PID:524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1228
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 988
    3⤵
    - Program crash
    PID:3804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1512
    3⤵
    - Program crash
    PID:1008
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - outlook_win_path
    PID:3740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1004
    3⤵
    - Program crash
    PID:616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1528
    3⤵
    - Program crash
    PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 864
  2⤵
  - Program crash
  PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4864 -ip 4864
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4864 -ip 4864
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4864 -ip 4864
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4864 -ip 4864
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4864 -ip 4864
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4864 -ip 4864
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4864 -ip 4864
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2324 -ip 2324
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2324 -ip 2324
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2324 -ip 2324
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2324 -ip 2324
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2324 -ip 2324
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2324 -ip 2324
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2324 -ip 2324
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2324 -ip 2324
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2324 -ip 2324
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2324 -ip 2324
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2324 -ip 2324
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2324 -ip 2324
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe
1⤵
- Executes dropped EXE
PID:4364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 320
  2⤵
  - Program crash
  PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4364 -ip 4364
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2324 -ip 2324
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2324 -ip 2324
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2324 -ip 2324
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe
1⤵
- Executes dropped EXE
PID:3652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 312
  2⤵
  - Program crash
  PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3652 -ip 3652
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe

Filesize
338KB

MD5
fe641225d44e5c64bac142415f5e2ca9

SHA1
bb52078f856857af809aab239b5462da2e0e9e39

SHA256
26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae

SHA512
be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276

Download Submit
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe

Filesize
338KB

MD5
fe641225d44e5c64bac142415f5e2ca9

SHA1
bb52078f856857af809aab239b5462da2e0e9e39

SHA256
26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae

SHA512
be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276

Download Submit
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe

Filesize
338KB

MD5
fe641225d44e5c64bac142415f5e2ca9

SHA1
bb52078f856857af809aab239b5462da2e0e9e39

SHA256
26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae

SHA512
be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276

Download Submit
C:\Users\Admin\AppData\Local\Temp\3858e4df6b\nbveek.exe

Filesize
338KB

MD5
fe641225d44e5c64bac142415f5e2ca9

SHA1
bb52078f856857af809aab239b5462da2e0e9e39

SHA256
26884198ab42034a2515a138d610a912875f1fc361c7a19bf5d861ab8a5841ae

SHA512
be0545fec243e9baae0c298e891956b843b3c7fb1a1b62f55bcdae43315c3311066baa3c02aa8b2e73f0423be48ac1cb8d6d36aac5cc3a84bbe942d78c72d276

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
126KB

MD5
9cb722f11d688872348be236f8e5d149

SHA1
e54f80b631c1931b574baf6953a3948fe3d7d354

SHA256
53bb660c1ae533d41b887a771ab2d8a2f73320c4d1441448c4bf75dfbc875321

SHA512
52e318939fd63c89ee8f92b3c7e17f08919f6a5ac229418a6f0678daad9a3f285f121ad4aab7ef4bb575d368c989fc02e07a654b919f9bb1ba7fe7a9c5c37774

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
126KB

MD5
9cb722f11d688872348be236f8e5d149

SHA1
e54f80b631c1931b574baf6953a3948fe3d7d354

SHA256
53bb660c1ae533d41b887a771ab2d8a2f73320c4d1441448c4bf75dfbc875321

SHA512
52e318939fd63c89ee8f92b3c7e17f08919f6a5ac229418a6f0678daad9a3f285f121ad4aab7ef4bb575d368c989fc02e07a654b919f9bb1ba7fe7a9c5c37774

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
126KB

MD5
9cb722f11d688872348be236f8e5d149

SHA1
e54f80b631c1931b574baf6953a3948fe3d7d354

SHA256
53bb660c1ae533d41b887a771ab2d8a2f73320c4d1441448c4bf75dfbc875321

SHA512
52e318939fd63c89ee8f92b3c7e17f08919f6a5ac229418a6f0678daad9a3f285f121ad4aab7ef4bb575d368c989fc02e07a654b919f9bb1ba7fe7a9c5c37774

Download Submit
memory/2324-141-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2324-140-0x0000000000706000-0x0000000000724000-memory.dmp

Filesize
120KB

Download
memory/2324-143-0x0000000000706000-0x0000000000724000-memory.dmp

Filesize
120KB

Download
memory/2324-144-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3652-154-0x000000000069A000-0x00000000006B9000-memory.dmp

Filesize
124KB

Download
memory/3652-155-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3740-152-0x0000000000610000-0x0000000000634000-memory.dmp

Filesize
144KB

Download
memory/4364-147-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4364-146-0x000000000058A000-0x00000000005A9000-memory.dmp

Filesize
124KB

Download
memory/4864-132-0x00000000006B7000-0x00000000006D6000-memory.dmp

Filesize
124KB

Download
memory/4864-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4864-138-0x00000000006B7000-0x00000000006D6000-memory.dmp

Filesize
124KB

Download
memory/4864-134-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4864-133-0x00000000008B0000-0x00000000008EC000-memory.dmp

Filesize
240KB

Download