Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2023 13:17

General

  • Target

    765061-creddll.dll

  • Size

    126KB

  • MD5

    2930d1a61c3e082b983802bf71266ec0

  • SHA1

    9b676931a59da39eac50a08c15d5c4beb22ac366

  • SHA256

    5554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3

  • SHA512

    df8038ac7866a9929d56f138380ec75b78723a5a99ce425f394b216f8a30597a90e6f1173269dda06b3a414b0ccab60a6cf1fef2d0047f5ed010d5c7f9aed53b

  • SSDEEP

    3072:Yx7p5EJTJx+Rg/TwY1o9CeQepHOSNGwbQ6kUzlCN9V0869:Yx781URg/eCeZfIUzlC

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Amadey credential stealer module 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\765061-creddll.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\765061-creddll.dll,#1
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • outlook_win_path
      PID:1356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1356-54-0x0000000000150000-0x0000000000174000-memory.dmp

    Filesize

    144KB