amadey | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-02-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a8f85f937d8106c020a366d7c6ccb4.exe
Size

227KB
MD5

17a8f85f937d8106c020a366d7c6ccb4
SHA1

43ef57b2adf9115c51041b5baba5a1565501b1a1
SHA256

3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512

ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
SSDEEP

3072:up/r/XWcqLhrksdsUrPYdBqaTl723DSVhdu1SAA8YcG9lKVf1svV+NhcmEx:uNzGcU9LPGQaTASlu1STVJGMV+4

Score

10^/10

amadey aurora spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

193.42.33.28/0bjdn2Z/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

mnolyk.exebin.exemnolyk.exemnolyk.exe

pid process

1204 mnolyk.exe
1768 bin.exe
1048 mnolyk.exe
1172 mnolyk.exe
Loads dropped DLL 3 IoCs

Processes:

17a8f85f937d8106c020a366d7c6ccb4.exemnolyk.exe

pid process

1560 17a8f85f937d8106c020a366d7c6ccb4.exe
1204 mnolyk.exe
1204 mnolyk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe

pid	process
1204	mnolyk.exe
1768	bin.exe
1048	mnolyk.exe
1172	mnolyk.exe

pid	process
1560	17a8f85f937d8106c020a366d7c6ccb4.exe
1204	mnolyk.exe
1204	mnolyk.exe

pid	process
560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe
Token: SeSystemProfilePrivilege	928	WMIC.exe
Token: SeSystemtimePrivilege	928	WMIC.exe
Token: SeProfSingleProcessPrivilege	928	WMIC.exe
Token: SeIncBasePriorityPrivilege	928	WMIC.exe
Token: SeCreatePagefilePrivilege	928	WMIC.exe
Token: SeBackupPrivilege	928	WMIC.exe
Token: SeRestorePrivilege	928	WMIC.exe
Token: SeShutdownPrivilege	928	WMIC.exe
Token: SeDebugPrivilege	928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	928	WMIC.exe
Token: SeRemoteShutdownPrivilege	928	WMIC.exe
Token: SeUndockPrivilege	928	WMIC.exe
Token: SeManageVolumePrivilege	928	WMIC.exe
Token: 33	928	WMIC.exe
Token: 34	928	WMIC.exe
Token: 35	928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17a8f85f937d8106c020a366d7c6ccb4.exemnolyk.execmd.exebin.execmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 1560 wrote to memory of 1204	1560	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 1560 wrote to memory of 1204	1560	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 1560 wrote to memory of 1204	1560	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 1560 wrote to memory of 1204	1560	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 1204 wrote to memory of 560	1204	mnolyk.exe	schtasks.exe
PID 1204 wrote to memory of 560	1204	mnolyk.exe	schtasks.exe
PID 1204 wrote to memory of 560	1204	mnolyk.exe	schtasks.exe
PID 1204 wrote to memory of 560	1204	mnolyk.exe	schtasks.exe
PID 1204 wrote to memory of 652	1204	mnolyk.exe	cmd.exe
PID 1204 wrote to memory of 652	1204	mnolyk.exe	cmd.exe
PID 1204 wrote to memory of 652	1204	mnolyk.exe	cmd.exe
PID 1204 wrote to memory of 652	1204	mnolyk.exe	cmd.exe
PID 652 wrote to memory of 672	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 672	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 672	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 672	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 1164	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1164	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1164	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1164	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1992	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1992	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1992	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1992	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 364	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 364	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 364	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 364	652	cmd.exe	cmd.exe
PID 652 wrote to memory of 1752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 1752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 752	652	cmd.exe	cacls.exe
PID 652 wrote to memory of 752	652	cmd.exe	cacls.exe
PID 1204 wrote to memory of 1768	1204	mnolyk.exe	bin.exe
PID 1204 wrote to memory of 1768	1204	mnolyk.exe	bin.exe
PID 1204 wrote to memory of 1768	1204	mnolyk.exe	bin.exe
PID 1204 wrote to memory of 1768	1204	mnolyk.exe	bin.exe
PID 1768 wrote to memory of 1764	1768	bin.exe	wmic.exe
PID 1768 wrote to memory of 1764	1768	bin.exe	wmic.exe
PID 1768 wrote to memory of 1764	1768	bin.exe	wmic.exe
PID 1768 wrote to memory of 1764	1768	bin.exe	wmic.exe
PID 1768 wrote to memory of 1624	1768	bin.exe	cmd.exe
PID 1768 wrote to memory of 1624	1768	bin.exe	cmd.exe
PID 1768 wrote to memory of 1624	1768	bin.exe	cmd.exe
PID 1768 wrote to memory of 1624	1768	bin.exe	cmd.exe
PID 1624 wrote to memory of 928	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 928	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 928	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 928	1624	cmd.exe	WMIC.exe
PID 1768 wrote to memory of 1716	1768	bin.exe	cmd.exe
PID 1768 wrote to memory of 1716	1768	bin.exe	cmd.exe
PID 1768 wrote to memory of 1716	1768	bin.exe	cmd.exe
PID 1768 wrote to memory of 1716	1768	bin.exe	cmd.exe
PID 1716 wrote to memory of 1276	1716	cmd.exe	WMIC.exe
PID 1716 wrote to memory of 1276	1716	cmd.exe	WMIC.exe
PID 1716 wrote to memory of 1276	1716	cmd.exe	WMIC.exe
PID 1716 wrote to memory of 1276	1716	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 1048	1660	taskeng.exe	mnolyk.exe
PID 1660 wrote to memory of 1048	1660	taskeng.exe	mnolyk.exe
PID 1660 wrote to memory of 1048	1660	taskeng.exe	mnolyk.exe
PID 1660 wrote to memory of 1048	1660	taskeng.exe	mnolyk.exe

C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe
"C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
3⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:672

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
4⤵
PID:1164

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
4⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:364

C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:N"
4⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:R" /E
4⤵
PID:752

C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:1276

C:\Windows\system32\taskeng.exe
taskeng.exe {2AFFDB63-3439-4465-846A-44CEDCB0AEC4} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
2⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
2⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit
\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit
\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit