amadey | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

Analysis

max time kernel
113s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a8f85f937d8106c020a366d7c6ccb4.exe
Size

227KB
MD5

17a8f85f937d8106c020a366d7c6ccb4
SHA1

43ef57b2adf9115c51041b5baba5a1565501b1a1
SHA256

3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512

ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
SSDEEP

3072:up/r/XWcqLhrksdsUrPYdBqaTl723DSVhdu1SAA8YcG9lKVf1svV+NhcmEx:uNzGcU9LPGQaTASlu1STVJGMV+4

Score

10^/10

amadey aurora spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

193.42.33.28/0bjdn2Z/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mnolyk.exe17a8f85f937d8106c020a366d7c6ccb4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	mnolyk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	17a8f85f937d8106c020a366d7c6ccb4.exe

Executes dropped EXE 4 IoCs

Processes:

mnolyk.exebin.exemnolyk.exemnolyk.exe

pid process

1456 mnolyk.exe
2328 bin.exe
4224 mnolyk.exe
2880 mnolyk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1748 schtasks.exe

pid	process
1456	mnolyk.exe
2328	bin.exe
4224	mnolyk.exe
2880	mnolyk.exe

pid	process
1748	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3924	wmic.exe
Token: SeSecurityPrivilege	3924	wmic.exe
Token: SeTakeOwnershipPrivilege	3924	wmic.exe
Token: SeLoadDriverPrivilege	3924	wmic.exe
Token: SeSystemProfilePrivilege	3924	wmic.exe
Token: SeSystemtimePrivilege	3924	wmic.exe
Token: SeProfSingleProcessPrivilege	3924	wmic.exe
Token: SeIncBasePriorityPrivilege	3924	wmic.exe
Token: SeCreatePagefilePrivilege	3924	wmic.exe
Token: SeBackupPrivilege	3924	wmic.exe
Token: SeRestorePrivilege	3924	wmic.exe
Token: SeShutdownPrivilege	3924	wmic.exe
Token: SeDebugPrivilege	3924	wmic.exe
Token: SeSystemEnvironmentPrivilege	3924	wmic.exe
Token: SeRemoteShutdownPrivilege	3924	wmic.exe
Token: SeUndockPrivilege	3924	wmic.exe
Token: SeManageVolumePrivilege	3924	wmic.exe
Token: 33	3924	wmic.exe
Token: 34	3924	wmic.exe
Token: 35	3924	wmic.exe
Token: 36	3924	wmic.exe
Token: SeIncreaseQuotaPrivilege	3924	wmic.exe
Token: SeSecurityPrivilege	3924	wmic.exe
Token: SeTakeOwnershipPrivilege	3924	wmic.exe
Token: SeLoadDriverPrivilege	3924	wmic.exe
Token: SeSystemProfilePrivilege	3924	wmic.exe
Token: SeSystemtimePrivilege	3924	wmic.exe
Token: SeProfSingleProcessPrivilege	3924	wmic.exe
Token: SeIncBasePriorityPrivilege	3924	wmic.exe
Token: SeCreatePagefilePrivilege	3924	wmic.exe
Token: SeBackupPrivilege	3924	wmic.exe
Token: SeRestorePrivilege	3924	wmic.exe
Token: SeShutdownPrivilege	3924	wmic.exe
Token: SeDebugPrivilege	3924	wmic.exe
Token: SeSystemEnvironmentPrivilege	3924	wmic.exe
Token: SeRemoteShutdownPrivilege	3924	wmic.exe
Token: SeUndockPrivilege	3924	wmic.exe
Token: SeManageVolumePrivilege	3924	wmic.exe
Token: 33	3924	wmic.exe
Token: 34	3924	wmic.exe
Token: 35	3924	wmic.exe
Token: 36	3924	wmic.exe
Token: SeIncreaseQuotaPrivilege	4132	WMIC.exe
Token: SeSecurityPrivilege	4132	WMIC.exe
Token: SeTakeOwnershipPrivilege	4132	WMIC.exe
Token: SeLoadDriverPrivilege	4132	WMIC.exe
Token: SeSystemProfilePrivilege	4132	WMIC.exe
Token: SeSystemtimePrivilege	4132	WMIC.exe
Token: SeProfSingleProcessPrivilege	4132	WMIC.exe
Token: SeIncBasePriorityPrivilege	4132	WMIC.exe
Token: SeCreatePagefilePrivilege	4132	WMIC.exe
Token: SeBackupPrivilege	4132	WMIC.exe
Token: SeRestorePrivilege	4132	WMIC.exe
Token: SeShutdownPrivilege	4132	WMIC.exe
Token: SeDebugPrivilege	4132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4132	WMIC.exe
Token: SeRemoteShutdownPrivilege	4132	WMIC.exe
Token: SeUndockPrivilege	4132	WMIC.exe
Token: SeManageVolumePrivilege	4132	WMIC.exe
Token: 33	4132	WMIC.exe
Token: 34	4132	WMIC.exe
Token: 35	4132	WMIC.exe
Token: 36	4132	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4132	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

17a8f85f937d8106c020a366d7c6ccb4.exemnolyk.execmd.exebin.execmd.execmd.exe

description	pid	process	target process
PID 5056 wrote to memory of 1456	5056	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 5056 wrote to memory of 1456	5056	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 5056 wrote to memory of 1456	5056	17a8f85f937d8106c020a366d7c6ccb4.exe	mnolyk.exe
PID 1456 wrote to memory of 1748	1456	mnolyk.exe	schtasks.exe
PID 1456 wrote to memory of 1748	1456	mnolyk.exe	schtasks.exe
PID 1456 wrote to memory of 1748	1456	mnolyk.exe	schtasks.exe
PID 1456 wrote to memory of 4668	1456	mnolyk.exe	cmd.exe
PID 1456 wrote to memory of 4668	1456	mnolyk.exe	cmd.exe
PID 1456 wrote to memory of 4668	1456	mnolyk.exe	cmd.exe
PID 4668 wrote to memory of 3772	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 3772	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 3772	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 3420	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 3420	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 3420	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 4032	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 4032	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 4032	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 4268	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 4268	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 4268	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 4700	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 4700	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 4700	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 2360	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 2360	4668	cmd.exe	cacls.exe
PID 4668 wrote to memory of 2360	4668	cmd.exe	cacls.exe
PID 1456 wrote to memory of 2328	1456	mnolyk.exe	bin.exe
PID 1456 wrote to memory of 2328	1456	mnolyk.exe	bin.exe
PID 1456 wrote to memory of 2328	1456	mnolyk.exe	bin.exe
PID 2328 wrote to memory of 3924	2328	bin.exe	wmic.exe
PID 2328 wrote to memory of 3924	2328	bin.exe	wmic.exe
PID 2328 wrote to memory of 3924	2328	bin.exe	wmic.exe
PID 2328 wrote to memory of 5096	2328	bin.exe	cmd.exe
PID 2328 wrote to memory of 5096	2328	bin.exe	cmd.exe
PID 2328 wrote to memory of 5096	2328	bin.exe	cmd.exe
PID 5096 wrote to memory of 4132	5096	cmd.exe	WMIC.exe
PID 5096 wrote to memory of 4132	5096	cmd.exe	WMIC.exe
PID 5096 wrote to memory of 4132	5096	cmd.exe	WMIC.exe
PID 2328 wrote to memory of 3588	2328	bin.exe	cmd.exe
PID 2328 wrote to memory of 3588	2328	bin.exe	cmd.exe
PID 2328 wrote to memory of 3588	2328	bin.exe	cmd.exe
PID 3588 wrote to memory of 616	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 616	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 616	3588	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe
"C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3772

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
4⤵
PID:3420

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
4⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4268

C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:N"
4⤵
PID:4700

C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:R" /E
4⤵
PID:2360

C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
1⤵
- Executes dropped EXE
PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Filesize
227KB

MD5
17a8f85f937d8106c020a366d7c6ccb4

SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1

SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800

SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dd7a4110e2dc0760efdd47ee918c0deb

SHA1
5ed5efe128e521023e0caf4fff9af747522c8166

SHA256
550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084

SHA512
c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
dc2b0f48d8f547d5ff7d67b371d850f0

SHA1
84d02ddbf478bf7cfe9ccb466362860ee18b3839

SHA256
0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890

SHA512
3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

Download Submit
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
Filesize
3.0MB

MD5
af4268c094f2a9c6e6a85f8626b9a5c7

SHA1
7d6b6083ec9081f52517cc7952dfb0c1c416e395

SHA256
07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165

SHA512
2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68

Download Submit