amadey | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

Analysis

max time kernel
114s
max time network
125s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

235KB
MD5

ebd584e9c1a400cd5d4bafa0e7936468
SHA1

d263c62902326425ed17855d49d35003abcd797b
SHA256

ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512

e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
SSDEEP

6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.88/9vdVVVjsw/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

nbveek.exenbveek.exenbveek.exe

pid process

2024 nbveek.exe
552 nbveek.exe
1196 nbveek.exe

pid	process
2024	nbveek.exe
552	nbveek.exe
1196	nbveek.exe

Loads dropped DLL 11 IoCs

Processes:

tmp.exerundll32.exerundll32.exeWerFault.exe

pid	process
840	tmp.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
960	rundll32.exe
960	rundll32.exe
960	rundll32.exe
960	rundll32.exe
1508	WerFault.exe
1508	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1508 960 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

568 schtasks.exe

pid	pid_target	process	target process
1508	960	WerFault.exe	rundll32.exe

pid	process
568	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exenbveek.execmd.exetaskeng.exerundll32.exerundll32.exe

description	pid	process	target process
PID 840 wrote to memory of 2024	840	tmp.exe	nbveek.exe
PID 840 wrote to memory of 2024	840	tmp.exe	nbveek.exe
PID 840 wrote to memory of 2024	840	tmp.exe	nbveek.exe
PID 840 wrote to memory of 2024	840	tmp.exe	nbveek.exe
PID 2024 wrote to memory of 568	2024	nbveek.exe	schtasks.exe
PID 2024 wrote to memory of 568	2024	nbveek.exe	schtasks.exe
PID 2024 wrote to memory of 568	2024	nbveek.exe	schtasks.exe
PID 2024 wrote to memory of 568	2024	nbveek.exe	schtasks.exe
PID 2024 wrote to memory of 1212	2024	nbveek.exe	cmd.exe
PID 2024 wrote to memory of 1212	2024	nbveek.exe	cmd.exe
PID 2024 wrote to memory of 1212	2024	nbveek.exe	cmd.exe
PID 2024 wrote to memory of 1212	2024	nbveek.exe	cmd.exe
PID 1212 wrote to memory of 1696	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1696	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1696	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1696	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1920	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1920	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1920	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1920	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1780	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1780	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1780	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1780	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1776	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1776	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1776	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1776	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1328	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1328	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1328	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1328	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1732	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1732	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1732	1212	cmd.exe	cacls.exe
PID 1212 wrote to memory of 1732	1212	cmd.exe	cacls.exe
PID 800 wrote to memory of 552	800	taskeng.exe	nbveek.exe
PID 800 wrote to memory of 552	800	taskeng.exe	nbveek.exe
PID 800 wrote to memory of 552	800	taskeng.exe	nbveek.exe
PID 800 wrote to memory of 552	800	taskeng.exe	nbveek.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1544	2024	nbveek.exe	rundll32.exe
PID 1544 wrote to memory of 960	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 960	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 960	1544	rundll32.exe	rundll32.exe
PID 1544 wrote to memory of 960	1544	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 2024 wrote to memory of 1648	2024	nbveek.exe	rundll32.exe
PID 960 wrote to memory of 1508	960	rundll32.exe	WerFault.exe
PID 960 wrote to memory of 1508	960	rundll32.exe	WerFault.exe
PID 960 wrote to memory of 1508	960	rundll32.exe	WerFault.exe
PID 800 wrote to memory of 1196	800	taskeng.exe	nbveek.exe
PID 800 wrote to memory of 1196	800	taskeng.exe	nbveek.exe
PID 800 wrote to memory of 1196	800	taskeng.exe	nbveek.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9e0894bcc4" /P "Admin:N"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9e0894bcc4" /P "Admin:R" /E
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 960 -s 344
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1508
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {40ADF585-B0DF-4A7F-9016-8FCF24D38AE8} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  2⤵
  - Executes dropped EXE
  PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
memory/552-68-0x0000000000000000-mapping.dmp

Download
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/840-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/960-78-0x0000000000000000-mapping.dmp

Download
memory/1196-88-0x0000000000000000-mapping.dmp

Download
memory/1212-60-0x0000000000000000-mapping.dmp

Download
memory/1328-66-0x0000000000000000-mapping.dmp

Download
memory/1508-85-0x0000000000000000-mapping.dmp

Download
memory/1544-71-0x0000000000000000-mapping.dmp

Download
memory/1648-79-0x0000000000000000-mapping.dmp

Download
memory/1696-61-0x0000000000000000-mapping.dmp

Download
memory/1732-67-0x0000000000000000-mapping.dmp

Download
memory/1776-65-0x0000000000000000-mapping.dmp

Download
memory/1780-64-0x0000000000000000-mapping.dmp

Download
memory/1920-62-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download