amadey | 2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef

General

Target

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe
Size

2.3MB
MD5

adb7d29709bbc6b756cca7b7dda5658e
SHA1

41487c37e04720a70d6f2c467aaacbf999e11bd5
SHA256

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef
SHA512

f0562cac20ac06a5c2c3f674b02aaf1dab97556f69fa759a410c1618945c89b15c0e49473fe269c13b6fbe133418c77a041857e0fcd0a3d4c6fc1f4aa2b02ff4
SSDEEP

24576:mxltyHQflUh/U5owayCu20tjmbCgCQtAERGsUdMhlh:mxbflOadltgCQsrMhX

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

45.9.74.182/b7djSDcPcZ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assdfmdswkhs.lnk	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe

Loads dropped DLL 3 IoCs

pid	Process
360	rundll32.exe
2472	rundll32.exe
824	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4788 set thread context of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5080	2472	WerFault.exe	72

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 4788 wrote to memory of 1168	4788	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe	69
PID 1168 wrote to memory of 360	1168	MsBuild.exe	70
PID 1168 wrote to memory of 360	1168	MsBuild.exe	70
PID 1168 wrote to memory of 360	1168	MsBuild.exe	70
PID 1168 wrote to memory of 824	1168	MsBuild.exe	71
PID 1168 wrote to memory of 824	1168	MsBuild.exe	71
PID 1168 wrote to memory of 824	1168	MsBuild.exe	71
PID 360 wrote to memory of 2472	360	rundll32.exe	72
PID 360 wrote to memory of 2472	360	rundll32.exe	72

C:\Users\Admin\AppData\Local\Temp\2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe
"C:\Users\Admin\AppData\Local\Temp\2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2472
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2472 -s 596
        5⤵
        Program crash
        
        PID:5080
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
memory/1168-177-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-152-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-155-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4788-148-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-132-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-142-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-144-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-146-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-120-0x0000000000760000-0x00000000009B2000-memory.dmp

Filesize
2.3MB

Download
memory/4788-150-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-151-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4788-138-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-136-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-134-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-140-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-130-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-158-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4788-164-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/4788-128-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-127-0x00000000051F0000-0x0000000005205000-memory.dmp

Filesize
84KB

Download
memory/4788-126-0x00000000051F0000-0x000000000520C000-memory.dmp

Filesize
112KB

Download
memory/4788-125-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4788-123-0x0000000002CC0000-0x0000000002D12000-memory.dmp

Filesize
328KB

Download
memory/4788-124-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/4788-122-0x00000000052B0000-0x000000000534C000-memory.dmp

Filesize
624KB

Download
memory/4788-121-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing