amadey | 38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef

Analysis

max time kernel
147s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

325cedfb3e4d23ddf1062ad55b6f6b6e.exe
Size

3.7MB
MD5

325cedfb3e4d23ddf1062ad55b6f6b6e
SHA1

bd30d64d8dd8f4862461da3137686951870a466f
SHA256

38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef
SHA512

17daf234fdaedca6b4a5b6e7a8b34f0ae5ffefc1c4c11edb40f87498d25b09377b0898b3ad648ed093a6b35ce6b227a3f9f69e37e752931f2722f61c23f066ab
SSDEEP

98304:uSWz0m6iijzsGupvTo9GDd1HwAOiU0KIX6ksJc:Tfti2Ys9GDd1HjpU0pX6m

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.83

62.182.156.152/so57Nst/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

325cedfb3e4d23ddf1062ad55b6f6b6e.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	325cedfb3e4d23ddf1062ad55b6f6b6e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 3 IoCs

Processes:

oneetx.exeoneetx.exeoneetx.exe

pid process

1228 oneetx.exe
4912 oneetx.exe
376 oneetx.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4100 rundll32.exe
4128 rundll32.exe
836 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1016 4128 WerFault.exe rundll32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3544 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

325cedfb3e4d23ddf1062ad55b6f6b6e.exe

pid process

4928 325cedfb3e4d23ddf1062ad55b6f6b6e.exe

pid	process
1228	oneetx.exe
4912	oneetx.exe
376	oneetx.exe

pid	process
4100	rundll32.exe
4128	rundll32.exe
836	rundll32.exe

pid	pid_target	process	target process
1016	4128	WerFault.exe	rundll32.exe

pid	process
3544	schtasks.exe

pid	process
4928	325cedfb3e4d23ddf1062ad55b6f6b6e.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

325cedfb3e4d23ddf1062ad55b6f6b6e.exeoneetx.execmd.exerundll32.exe

description	pid	process	target process
PID 4928 wrote to memory of 1228	4928	325cedfb3e4d23ddf1062ad55b6f6b6e.exe	oneetx.exe
PID 4928 wrote to memory of 1228	4928	325cedfb3e4d23ddf1062ad55b6f6b6e.exe	oneetx.exe
PID 4928 wrote to memory of 1228	4928	325cedfb3e4d23ddf1062ad55b6f6b6e.exe	oneetx.exe
PID 1228 wrote to memory of 3544	1228	oneetx.exe	schtasks.exe
PID 1228 wrote to memory of 3544	1228	oneetx.exe	schtasks.exe
PID 1228 wrote to memory of 3544	1228	oneetx.exe	schtasks.exe
PID 1228 wrote to memory of 316	1228	oneetx.exe	cmd.exe
PID 1228 wrote to memory of 316	1228	oneetx.exe	cmd.exe
PID 1228 wrote to memory of 316	1228	oneetx.exe	cmd.exe
PID 316 wrote to memory of 1524	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 1524	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 1524	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 3428	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 3428	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 3428	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 4388	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 4388	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 4388	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 4784	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 4784	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 4784	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 2996	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 2996	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 2996	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 3548	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 3548	316	cmd.exe	cacls.exe
PID 316 wrote to memory of 3548	316	cmd.exe	cacls.exe
PID 1228 wrote to memory of 4100	1228	oneetx.exe	rundll32.exe
PID 1228 wrote to memory of 4100	1228	oneetx.exe	rundll32.exe
PID 1228 wrote to memory of 4100	1228	oneetx.exe	rundll32.exe
PID 4100 wrote to memory of 4128	4100	rundll32.exe	rundll32.exe
PID 4100 wrote to memory of 4128	4100	rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 836	1228	oneetx.exe	rundll32.exe
PID 1228 wrote to memory of 836	1228	oneetx.exe	rundll32.exe
PID 1228 wrote to memory of 836	1228	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\325cedfb3e4d23ddf1062ad55b6f6b6e.exe
"C:\Users\Admin\AppData\Local\Temp\325cedfb3e4d23ddf1062ad55b6f6b6e.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe" /F
3⤵
- Creates scheduled task(s)
PID:3544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9b11736588" /P "Admin:N"&&CACLS "..\9b11736588" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1524

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
4⤵
PID:3428

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
4⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
CACLS "..\9b11736588" /P "Admin:N"
4⤵
PID:2996

C:\Windows\SysWOW64\cacls.exe
CACLS "..\9b11736588" /P "Admin:R" /E
4⤵
PID:3548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4128 -s 644
5⤵
- Program crash
PID:1016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:836

C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4128 -ip 4128
1⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe
1⤵
- Executes dropped EXE
PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\275444769369

Filesize
82KB

MD5
18053d59705db0243e2750cc21436011

SHA1
778cd81d9841dbe04b2b98f82bc8cb176755fee7

SHA256
fcb5b26eb81058daafb4db381e7f529b427330a8700dc222c282437937683bf3

SHA512
11bb1a7768dd3b1f146cdd4740715b729921f34ebc8f966b68616225027f72a12d0dbd1cc195f931e78ebb7a2239ead8c2dff1a8a5134e4ad5b48de975217122

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe

Filesize
3.7MB

MD5
325cedfb3e4d23ddf1062ad55b6f6b6e

SHA1
bd30d64d8dd8f4862461da3137686951870a466f

SHA256
38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef

SHA512
17daf234fdaedca6b4a5b6e7a8b34f0ae5ffefc1c4c11edb40f87498d25b09377b0898b3ad648ed093a6b35ce6b227a3f9f69e37e752931f2722f61c23f066ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe

Filesize
3.7MB

MD5
325cedfb3e4d23ddf1062ad55b6f6b6e

SHA1
bd30d64d8dd8f4862461da3137686951870a466f

SHA256
38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef

SHA512
17daf234fdaedca6b4a5b6e7a8b34f0ae5ffefc1c4c11edb40f87498d25b09377b0898b3ad648ed093a6b35ce6b227a3f9f69e37e752931f2722f61c23f066ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe

Filesize
3.7MB

MD5
325cedfb3e4d23ddf1062ad55b6f6b6e

SHA1
bd30d64d8dd8f4862461da3137686951870a466f

SHA256
38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef

SHA512
17daf234fdaedca6b4a5b6e7a8b34f0ae5ffefc1c4c11edb40f87498d25b09377b0898b3ad648ed093a6b35ce6b227a3f9f69e37e752931f2722f61c23f066ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe

Filesize
3.7MB

MD5
325cedfb3e4d23ddf1062ad55b6f6b6e

SHA1
bd30d64d8dd8f4862461da3137686951870a466f

SHA256
38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef

SHA512
17daf234fdaedca6b4a5b6e7a8b34f0ae5ffefc1c4c11edb40f87498d25b09377b0898b3ad648ed093a6b35ce6b227a3f9f69e37e752931f2722f61c23f066ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b11736588\oneetx.exe

Filesize
3.7MB

MD5
325cedfb3e4d23ddf1062ad55b6f6b6e

SHA1
bd30d64d8dd8f4862461da3137686951870a466f

SHA256
38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef

SHA512
17daf234fdaedca6b4a5b6e7a8b34f0ae5ffefc1c4c11edb40f87498d25b09377b0898b3ad648ed093a6b35ce6b227a3f9f69e37e752931f2722f61c23f066ab

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
77a6fdd6c731f7da07ffc412c9f17347

SHA1
0017710c7fc14022277ebf151964c79ebdf0106e

SHA256
9f564eb9675e6159111b6d0b1ddf6389dc3d93cefd314443bf5a2b7e73c59946

SHA512
7fe1897b462fc03faf0b220c8c7876e59ac326811a39d271b914bb609274bb8bdc5da252bf9228cc15262c14642207f5ebd665efa40cfcb5d48a20c05308c3f2

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
77a6fdd6c731f7da07ffc412c9f17347

SHA1
0017710c7fc14022277ebf151964c79ebdf0106e

SHA256
9f564eb9675e6159111b6d0b1ddf6389dc3d93cefd314443bf5a2b7e73c59946

SHA512
7fe1897b462fc03faf0b220c8c7876e59ac326811a39d271b914bb609274bb8bdc5da252bf9228cc15262c14642207f5ebd665efa40cfcb5d48a20c05308c3f2

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
77a6fdd6c731f7da07ffc412c9f17347

SHA1
0017710c7fc14022277ebf151964c79ebdf0106e

SHA256
9f564eb9675e6159111b6d0b1ddf6389dc3d93cefd314443bf5a2b7e73c59946

SHA512
7fe1897b462fc03faf0b220c8c7876e59ac326811a39d271b914bb609274bb8bdc5da252bf9228cc15262c14642207f5ebd665efa40cfcb5d48a20c05308c3f2

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.0MB

MD5
e6ab640c5271a1c4dda09a46e63aeb81

SHA1
aac907437f84098fec291732b5ac05c49217b0f1

SHA256
6d9865345877c9d57b7589392d8870ab7a225287606b9e2019860737cd5da4fe

SHA512
dc70893e9efbe63fb5b40b89650c8fbd03d35f4a41b09bc0a4f5e3973ee4f50f7d7bbd11bacf6d7c857eff078342dfb971e86f1254d6915c16697c3c89c34714

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.0MB

MD5
e6ab640c5271a1c4dda09a46e63aeb81

SHA1
aac907437f84098fec291732b5ac05c49217b0f1

SHA256
6d9865345877c9d57b7589392d8870ab7a225287606b9e2019860737cd5da4fe

SHA512
dc70893e9efbe63fb5b40b89650c8fbd03d35f4a41b09bc0a4f5e3973ee4f50f7d7bbd11bacf6d7c857eff078342dfb971e86f1254d6915c16697c3c89c34714

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.0MB

MD5
e6ab640c5271a1c4dda09a46e63aeb81

SHA1
aac907437f84098fec291732b5ac05c49217b0f1

SHA256
6d9865345877c9d57b7589392d8870ab7a225287606b9e2019860737cd5da4fe

SHA512
dc70893e9efbe63fb5b40b89650c8fbd03d35f4a41b09bc0a4f5e3973ee4f50f7d7bbd11bacf6d7c857eff078342dfb971e86f1254d6915c16697c3c89c34714

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.0MB

MD5
e6ab640c5271a1c4dda09a46e63aeb81

SHA1
aac907437f84098fec291732b5ac05c49217b0f1

SHA256
6d9865345877c9d57b7589392d8870ab7a225287606b9e2019860737cd5da4fe

SHA512
dc70893e9efbe63fb5b40b89650c8fbd03d35f4a41b09bc0a4f5e3973ee4f50f7d7bbd11bacf6d7c857eff078342dfb971e86f1254d6915c16697c3c89c34714

Download Submit
memory/376-218-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/376-214-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/376-211-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/1228-205-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/1228-168-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/1228-154-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4912-180-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4912-176-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4912-173-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4928-151-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4928-133-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download
memory/4928-135-0x0000000000400000-0x0000000000B97000-memory.dmp

Filesize
7.6MB

Download