amadey | 232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-03-2023 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

364KB
MD5

624053fd08cbbd4b037d42abf3bebccf
SHA1

9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256

232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA512

0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
SSDEEP

6144:1IlO3QxkS7Vhc6l3qbPar3jriFa5gMfSuK+yJXsnGqgHt56b2:iqQxDpq6l3qbParyFa5/SVlvq5K

Score

10^/10

amadey collection cred module spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.21

185.215.113.15/Lkb2dxj3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 7 IoCs

cred module

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll	amadey_cred_module
behavioral1/memory/1784-98-0x0000000000120000-0x0000000000144000-memory.dmp	amadey_cred_module

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 1784 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

bguuwe.exebguuwe.exebguuwe.exebguuwe.exe

pid process

1956 bguuwe.exe
1132 bguuwe.exe
820 bguuwe.exe
1532 bguuwe.exe
Loads dropped DLL 6 IoCs

Processes:

tmp.exerundll32.exe

pid process

2000 tmp.exe
2000 tmp.exe
1784 rundll32.exe
1784 rundll32.exe
1784 rundll32.exe
1784 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1784	rundll32.exe

pid	process
1956	bguuwe.exe
1132	bguuwe.exe
820	bguuwe.exe
1532	bguuwe.exe

pid	process
2000	tmp.exe
2000	tmp.exe
1784	rundll32.exe
1784	rundll32.exe
1784	rundll32.exe
1784	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1152 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1784 rundll32.exe
1784 rundll32.exe
1784 rundll32.exe
1784 rundll32.exe

pid	process
1152	schtasks.exe

pid	process
1784	rundll32.exe
1784	rundll32.exe
1784	rundll32.exe
1784	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

tmp.exebguuwe.execmd.exetaskeng.exe

description	pid	process	target process
PID 2000 wrote to memory of 1956	2000	tmp.exe	bguuwe.exe
PID 2000 wrote to memory of 1956	2000	tmp.exe	bguuwe.exe
PID 2000 wrote to memory of 1956	2000	tmp.exe	bguuwe.exe
PID 2000 wrote to memory of 1956	2000	tmp.exe	bguuwe.exe
PID 1956 wrote to memory of 464	1956	bguuwe.exe	cmd.exe
PID 1956 wrote to memory of 464	1956	bguuwe.exe	cmd.exe
PID 1956 wrote to memory of 464	1956	bguuwe.exe	cmd.exe
PID 1956 wrote to memory of 464	1956	bguuwe.exe	cmd.exe
PID 1956 wrote to memory of 1152	1956	bguuwe.exe	schtasks.exe
PID 1956 wrote to memory of 1152	1956	bguuwe.exe	schtasks.exe
PID 1956 wrote to memory of 1152	1956	bguuwe.exe	schtasks.exe
PID 1956 wrote to memory of 1152	1956	bguuwe.exe	schtasks.exe
PID 464 wrote to memory of 1964	464	cmd.exe	reg.exe
PID 464 wrote to memory of 1964	464	cmd.exe	reg.exe
PID 464 wrote to memory of 1964	464	cmd.exe	reg.exe
PID 464 wrote to memory of 1964	464	cmd.exe	reg.exe
PID 1760 wrote to memory of 1132	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1132	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1132	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1132	1760	taskeng.exe	bguuwe.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1956 wrote to memory of 1784	1956	bguuwe.exe	rundll32.exe
PID 1760 wrote to memory of 820	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 820	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 820	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 820	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1532	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1532	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1532	1760	taskeng.exe	bguuwe.exe
PID 1760 wrote to memory of 1532	1760	taskeng.exe	bguuwe.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
"C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\
3⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\
4⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe" /F
3⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1784

C:\Windows\system32\taskeng.exe
taskeng.exe {EB3C8329-6C72-4A3B-BB8D-A1EF76F48930} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
2⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
2⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
2⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\036338834658

Filesize
61KB

MD5
1aa14563c48733fb2fd61bf84e534084

SHA1
d64da109ff62d853c5f96df48954e0bc2a5d9da1

SHA256
dea8765e4dc2af42d64ae764838f05a6a1941f255298dd50d174067799213dce

SHA512
c2ef6190495f4d99f7e22ddfc4484ac648350cb1c7caf455bf8809d25c2c874f1d3dde00e7a545c5cb2753d3666d1dd92476f8a7082bb7bc7213b0d2dc3aec96

Download Submit
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll

Filesize
126KB

MD5
e507e6d6e53146d7c7d7560845d7b51c

SHA1
12dfec1df517037846dea8044a0edc409b790a13

SHA256
e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313

SHA512
f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e

Download Submit
C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll

Filesize
126KB

MD5
e507e6d6e53146d7c7d7560845d7b51c

SHA1
12dfec1df517037846dea8044a0edc409b790a13

SHA256
e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313

SHA512
f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e

Download Submit
\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Filesize
364KB

MD5
624053fd08cbbd4b037d42abf3bebccf

SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0

SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a

SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6

Download Submit
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll

Filesize
126KB

MD5
e507e6d6e53146d7c7d7560845d7b51c

SHA1
12dfec1df517037846dea8044a0edc409b790a13

SHA256
e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313

SHA512
f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e

Download Submit
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll

Filesize
126KB

MD5
e507e6d6e53146d7c7d7560845d7b51c

SHA1
12dfec1df517037846dea8044a0edc409b790a13

SHA256
e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313

SHA512
f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e

Download Submit
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll

Filesize
126KB

MD5
e507e6d6e53146d7c7d7560845d7b51c

SHA1
12dfec1df517037846dea8044a0edc409b790a13

SHA256
e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313

SHA512
f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e

Download Submit
\Users\Admin\AppData\Roaming\110809d565579c\cred.dll

Filesize
126KB

MD5
e507e6d6e53146d7c7d7560845d7b51c

SHA1
12dfec1df517037846dea8044a0edc409b790a13

SHA256
e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313

SHA512
f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e

Download Submit
memory/820-101-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/1132-79-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/1532-110-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/1784-98-0x0000000000120000-0x0000000000144000-memory.dmp

Filesize
144KB

Download
memory/1956-90-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/1956-80-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/1956-102-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/1956-105-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/2000-65-0x0000000000400000-0x0000000000A8C000-memory.dmp

Filesize
6.5MB

Download
memory/2000-66-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download