amadey | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

Analysis

max time kernel
114s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

235KB
MD5

ebd584e9c1a400cd5d4bafa0e7936468
SHA1

d263c62902326425ed17855d49d35003abcd797b
SHA256

ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512

e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
SSDEEP

6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.88/9vdVVVjsw/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exenbveek.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	nbveek.exe

Executes dropped EXE 3 IoCs

Processes:

nbveek.exenbveek.exenbveek.exe

pid process

4312 nbveek.exe
3688 nbveek.exe
864 nbveek.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

5116 rundll32.exe
1848 rundll32.exe
1496 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1664 1848 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3540 schtasks.exe

pid	process
4312	nbveek.exe
3688	nbveek.exe
864	nbveek.exe

pid	process
5116	rundll32.exe
1848	rundll32.exe
1496	rundll32.exe

pid	pid_target	process	target process
1664	1848	WerFault.exe	rundll32.exe

pid	process
3540	schtasks.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

tmp.exenbveek.execmd.exerundll32.exe

description	pid	process	target process
PID 376 wrote to memory of 4312	376	tmp.exe	nbveek.exe
PID 376 wrote to memory of 4312	376	tmp.exe	nbveek.exe
PID 376 wrote to memory of 4312	376	tmp.exe	nbveek.exe
PID 4312 wrote to memory of 3540	4312	nbveek.exe	schtasks.exe
PID 4312 wrote to memory of 3540	4312	nbveek.exe	schtasks.exe
PID 4312 wrote to memory of 3540	4312	nbveek.exe	schtasks.exe
PID 4312 wrote to memory of 1144	4312	nbveek.exe	cmd.exe
PID 4312 wrote to memory of 1144	4312	nbveek.exe	cmd.exe
PID 4312 wrote to memory of 1144	4312	nbveek.exe	cmd.exe
PID 1144 wrote to memory of 1628	1144	cmd.exe	cmd.exe
PID 1144 wrote to memory of 1628	1144	cmd.exe	cmd.exe
PID 1144 wrote to memory of 1628	1144	cmd.exe	cmd.exe
PID 1144 wrote to memory of 3272	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 3272	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 3272	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 1672	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 1672	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 1672	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 1380	1144	cmd.exe	cmd.exe
PID 1144 wrote to memory of 1380	1144	cmd.exe	cmd.exe
PID 1144 wrote to memory of 1380	1144	cmd.exe	cmd.exe
PID 1144 wrote to memory of 1460	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 1460	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 1460	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 3908	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 3908	1144	cmd.exe	cacls.exe
PID 1144 wrote to memory of 3908	1144	cmd.exe	cacls.exe
PID 4312 wrote to memory of 5116	4312	nbveek.exe	rundll32.exe
PID 4312 wrote to memory of 5116	4312	nbveek.exe	rundll32.exe
PID 4312 wrote to memory of 5116	4312	nbveek.exe	rundll32.exe
PID 5116 wrote to memory of 1848	5116	rundll32.exe	rundll32.exe
PID 5116 wrote to memory of 1848	5116	rundll32.exe	rundll32.exe
PID 4312 wrote to memory of 1496	4312	nbveek.exe	rundll32.exe
PID 4312 wrote to memory of 1496	4312	nbveek.exe	rundll32.exe
PID 4312 wrote to memory of 1496	4312	nbveek.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:3272
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9e0894bcc4" /P "Admin:N"
      4⤵
      PID:1460
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9e0894bcc4" /P "Admin:R" /E
      4⤵
      PID:3908
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1848
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1848 -s 680
        5⤵
        Program crash
        
        PID:1664
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1848 -ip 1848
1⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1⤵
- Executes dropped EXE
PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

Filesize
235KB

MD5
ebd584e9c1a400cd5d4bafa0e7936468

SHA1
d263c62902326425ed17855d49d35003abcd797b

SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
e1fe62c436de6b2c3bf0fd32e0f779c1

SHA1
dbaadf172ed878592ae299e27eb98e2614b7b36b

SHA256
3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

SHA512
e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.0MB

MD5
d1eb5caae43e95e1f369ca373a5e192d

SHA1
bafa865f8f2cb5bddf951357e70af9fb011d6ac2

SHA256
cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

SHA512
e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

Download Submit
memory/1144-136-0x0000000000000000-mapping.dmp

Download
memory/1380-140-0x0000000000000000-mapping.dmp

Download
memory/1460-141-0x0000000000000000-mapping.dmp

Download
memory/1496-148-0x0000000000000000-mapping.dmp

Download
memory/1628-137-0x0000000000000000-mapping.dmp

Download
memory/1672-139-0x0000000000000000-mapping.dmp

Download
memory/1848-146-0x0000000000000000-mapping.dmp

Download
memory/3272-138-0x0000000000000000-mapping.dmp

Download
memory/3540-135-0x0000000000000000-mapping.dmp

Download
memory/3908-142-0x0000000000000000-mapping.dmp

Download
memory/4312-132-0x0000000000000000-mapping.dmp

Download
memory/5116-143-0x0000000000000000-mapping.dmp

Download