amadey | a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7C5F0FB436E189AD3E8C2074F9F1CC24.exe
Size

1.7MB
MD5

7c5f0fb436e189ad3e8c2074f9f1cc24
SHA1

1cc2189c2b8d5d8cfe1cbe520770ac523612b792
SHA256

a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558
SHA512

74cb36646a665a4b6c3b040c8937251e2c30f169d1ae1c50e98430f87b035ad25d8f24292ce0aff09203fec00f2b93964c79eabd82da964acf02ba24cf554533
SSDEEP

12288:hsmqGF1MtAY8J0awXVF005vhTlqIKJh7x/iib25QPHUtd:hz/LpY8KawX0YvZsx/iib2Ew

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.85

getupdate.click/8bmeVwqx/index.php

getupdate2.click /8bmeVwqx/index.php

getupdate3.click/8bmeVwqx/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	7C5F0FB436E189AD3E8C2074F9F1CC24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	jbruyer.exe

Executes dropped EXE 1 IoCs

pid	Process
432	jbruyer.exe

Loads dropped DLL 9 IoCs

pid	Process
5108	rundll32.exe
5080	rundll32.exe
2272	rundll32.exe
4084	rundll32.exe
4240	rundll32.exe
3756	rundll32.exe
4092	rundll32.exe
4880	rundll32.exe
624	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
220	3756	WerFault.exe	110
2512	4240	WerFault.exe	109
4692	4084	WerFault.exe	108

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1684	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2804	7C5F0FB436E189AD3E8C2074F9F1CC24.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 432	2804	7C5F0FB436E189AD3E8C2074F9F1CC24.exe	85
PID 2804 wrote to memory of 432	2804	7C5F0FB436E189AD3E8C2074F9F1CC24.exe	85
PID 2804 wrote to memory of 432	2804	7C5F0FB436E189AD3E8C2074F9F1CC24.exe	85
PID 432 wrote to memory of 1684	432	jbruyer.exe	86
PID 432 wrote to memory of 1684	432	jbruyer.exe	86
PID 432 wrote to memory of 1684	432	jbruyer.exe	86
PID 432 wrote to memory of 4144	432	jbruyer.exe	88
PID 432 wrote to memory of 4144	432	jbruyer.exe	88
PID 432 wrote to memory of 4144	432	jbruyer.exe	88
PID 4144 wrote to memory of 3352	4144	cmd.exe	90
PID 4144 wrote to memory of 3352	4144	cmd.exe	90
PID 4144 wrote to memory of 3352	4144	cmd.exe	90
PID 4144 wrote to memory of 2688	4144	cmd.exe	91
PID 4144 wrote to memory of 2688	4144	cmd.exe	91
PID 4144 wrote to memory of 2688	4144	cmd.exe	91
PID 4144 wrote to memory of 4640	4144	cmd.exe	92
PID 4144 wrote to memory of 4640	4144	cmd.exe	92
PID 4144 wrote to memory of 4640	4144	cmd.exe	92
PID 4144 wrote to memory of 1856	4144	cmd.exe	93
PID 4144 wrote to memory of 1856	4144	cmd.exe	93
PID 4144 wrote to memory of 1856	4144	cmd.exe	93
PID 4144 wrote to memory of 4324	4144	cmd.exe	94
PID 4144 wrote to memory of 4324	4144	cmd.exe	94
PID 4144 wrote to memory of 4324	4144	cmd.exe	94
PID 4144 wrote to memory of 416	4144	cmd.exe	95
PID 4144 wrote to memory of 416	4144	cmd.exe	95
PID 4144 wrote to memory of 416	4144	cmd.exe	95
PID 432 wrote to memory of 2272	432	jbruyer.exe	105
PID 432 wrote to memory of 2272	432	jbruyer.exe	105
PID 432 wrote to memory of 2272	432	jbruyer.exe	105
PID 432 wrote to memory of 5108	432	jbruyer.exe	106
PID 432 wrote to memory of 5108	432	jbruyer.exe	106
PID 432 wrote to memory of 5108	432	jbruyer.exe	106
PID 432 wrote to memory of 5080	432	jbruyer.exe	107
PID 432 wrote to memory of 5080	432	jbruyer.exe	107
PID 432 wrote to memory of 5080	432	jbruyer.exe	107
PID 5080 wrote to memory of 4084	5080	rundll32.exe	108
PID 5080 wrote to memory of 4084	5080	rundll32.exe	108
PID 5108 wrote to memory of 4240	5108	rundll32.exe	109
PID 5108 wrote to memory of 4240	5108	rundll32.exe	109
PID 2272 wrote to memory of 3756	2272	rundll32.exe	110
PID 2272 wrote to memory of 3756	2272	rundll32.exe	110
PID 432 wrote to memory of 4092	432	jbruyer.exe	112
PID 432 wrote to memory of 4092	432	jbruyer.exe	112
PID 432 wrote to memory of 4092	432	jbruyer.exe	112
PID 432 wrote to memory of 4880	432	jbruyer.exe	113
PID 432 wrote to memory of 4880	432	jbruyer.exe	113
PID 432 wrote to memory of 4880	432	jbruyer.exe	113
PID 432 wrote to memory of 624	432	jbruyer.exe	114
PID 432 wrote to memory of 624	432	jbruyer.exe	114
PID 432 wrote to memory of 624	432	jbruyer.exe	114

C:\Users\Admin\AppData\Local\Temp\7C5F0FB436E189AD3E8C2074F9F1CC24.exe
"C:\Users\Admin\AppData\Local\Temp\7C5F0FB436E189AD3E8C2074F9F1CC24.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\572327b079\jbruyer.exe
  "C:\Users\Admin\AppData\Local\Temp\572327b079\jbruyer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN jbruyer.exe /TR "C:\Users\Admin\AppData\Local\Temp\572327b079\jbruyer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "jbruyer.exe" /P "Admin:N"&&CACLS "jbruyer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\572327b079" /P "Admin:N"&&CACLS "..\572327b079" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3352
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "jbruyer.exe" /P "Admin:N"
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "jbruyer.exe" /P "Admin:R" /E
      4⤵
      PID:4640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\572327b079" /P "Admin:N"
      4⤵
      PID:4324
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\572327b079" /P "Admin:R" /E
      4⤵
      PID:416
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3756
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3756 -s 644
        5⤵
        Program crash
        
        PID:220
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4240
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4240 -s 644
        5⤵
        Program crash
        
        PID:2512
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4084
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4084 -s 644
        5⤵
        Program crash
        
        PID:4692
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4092
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4880
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 3756 -ip 3756
1⤵
PID:448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4084 -ip 4084
1⤵
PID:3644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 4240 -ip 4240
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\043950675197

Filesize
82KB

MD5
6639dd5d58635122eb44321bbe425aa9

SHA1
b5844cfdb61756f38a8d3b803378da7519e5c090

SHA256
561207abcbb8b3fbc08bbec6ddbe8af19a18ceffb865bfe063dbd60acb503383

SHA512
a384a54c18fedbf3806279cb514a504ba638a13f6537c4e8dd5c39d0b6797cff52221f001306fedce0bd8a77378815ffbb4d982b44b3b721d34bbf3a5e5b2c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\572327b079\jbruyer.exe

Filesize
1.7MB

MD5
7c5f0fb436e189ad3e8c2074f9f1cc24

SHA1
1cc2189c2b8d5d8cfe1cbe520770ac523612b792

SHA256
a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558

SHA512
74cb36646a665a4b6c3b040c8937251e2c30f169d1ae1c50e98430f87b035ad25d8f24292ce0aff09203fec00f2b93964c79eabd82da964acf02ba24cf554533

Download Submit
C:\Users\Admin\AppData\Local\Temp\572327b079\jbruyer.exe

Filesize
1.7MB

MD5
7c5f0fb436e189ad3e8c2074f9f1cc24

SHA1
1cc2189c2b8d5d8cfe1cbe520770ac523612b792

SHA256
a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558

SHA512
74cb36646a665a4b6c3b040c8937251e2c30f169d1ae1c50e98430f87b035ad25d8f24292ce0aff09203fec00f2b93964c79eabd82da964acf02ba24cf554533

Download Submit
C:\Users\Admin\AppData\Local\Temp\572327b079\jbruyer.exe

Filesize
1.7MB

MD5
7c5f0fb436e189ad3e8c2074f9f1cc24

SHA1
1cc2189c2b8d5d8cfe1cbe520770ac523612b792

SHA256
a1c3aab7bc661fee2a1b3dea08f827e179d0991a58438efe8c464d22f9d73558

SHA512
74cb36646a665a4b6c3b040c8937251e2c30f169d1ae1c50e98430f87b035ad25d8f24292ce0aff09203fec00f2b93964c79eabd82da964acf02ba24cf554533

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll

Filesize
89KB

MD5
da32ba5704b945ff08dc50e17ce1bb5c

SHA1
2d8c567b3918069a58b58d37d3c604be6506011a

SHA256
4d1d9f05d39658ddb56ad061ffaf6a5e831b37d10507a548a170113bc81a4ad3

SHA512
965695e8e8c57acac914d35d3977360bfbff6286927586ecc5a0eb0c575ff6db5640fcd0d3b4fedf3164c63ead412375d19bed0ff098d41df9dbc879aa7b0672

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll

Filesize
89KB

MD5
da32ba5704b945ff08dc50e17ce1bb5c

SHA1
2d8c567b3918069a58b58d37d3c604be6506011a

SHA256
4d1d9f05d39658ddb56ad061ffaf6a5e831b37d10507a548a170113bc81a4ad3

SHA512
965695e8e8c57acac914d35d3977360bfbff6286927586ecc5a0eb0c575ff6db5640fcd0d3b4fedf3164c63ead412375d19bed0ff098d41df9dbc879aa7b0672

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll

Filesize
89KB

MD5
da32ba5704b945ff08dc50e17ce1bb5c

SHA1
2d8c567b3918069a58b58d37d3c604be6506011a

SHA256
4d1d9f05d39658ddb56ad061ffaf6a5e831b37d10507a548a170113bc81a4ad3

SHA512
965695e8e8c57acac914d35d3977360bfbff6286927586ecc5a0eb0c575ff6db5640fcd0d3b4fedf3164c63ead412375d19bed0ff098d41df9dbc879aa7b0672

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll

Filesize
89KB

MD5
da32ba5704b945ff08dc50e17ce1bb5c

SHA1
2d8c567b3918069a58b58d37d3c604be6506011a

SHA256
4d1d9f05d39658ddb56ad061ffaf6a5e831b37d10507a548a170113bc81a4ad3

SHA512
965695e8e8c57acac914d35d3977360bfbff6286927586ecc5a0eb0c575ff6db5640fcd0d3b4fedf3164c63ead412375d19bed0ff098d41df9dbc879aa7b0672

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\clip64.dll

Filesize
89KB

MD5
da32ba5704b945ff08dc50e17ce1bb5c

SHA1
2d8c567b3918069a58b58d37d3c604be6506011a

SHA256
4d1d9f05d39658ddb56ad061ffaf6a5e831b37d10507a548a170113bc81a4ad3

SHA512
965695e8e8c57acac914d35d3977360bfbff6286927586ecc5a0eb0c575ff6db5640fcd0d3b4fedf3164c63ead412375d19bed0ff098d41df9dbc879aa7b0672

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
C:\Users\Admin\AppData\Roaming\f4303a44f01a77\cred64.dll

Filesize
1.1MB

MD5
60cf7bdab887c8e4d3425d94ececd8d0

SHA1
a0147334806123358c8051676b55941f6d997fa8

SHA256
414cfc196f16fa63ef7d04492d3bc0d061a886c8f5eb78d62ffa7ac238d5b274

SHA512
6c8beeac97dec8d9e624a9e0e8622e0c41a1f5dfe997b046f595fac94ba79a5b9684e0bec423ce23535dfa29285cb836d567958ea6304f51bd924ceaf964a367

Download Submit
memory/432-162-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/432-146-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/432-204-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2804-133-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2804-145-0x0000000004140000-0x0000000004283000-memory.dmp

Filesize
1.3MB

Download
memory/2804-144-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads