amadey | 2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef

General

Target

adb7d29709bbc6b756cca7b7dda5658e.exe
Size

2.3MB
MD5

adb7d29709bbc6b756cca7b7dda5658e
SHA1

41487c37e04720a70d6f2c467aaacbf999e11bd5
SHA256

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef
SHA512

f0562cac20ac06a5c2c3f674b02aaf1dab97556f69fa759a410c1618945c89b15c0e49473fe269c13b6fbe133418c77a041857e0fcd0a3d4c6fc1f4aa2b02ff4
SSDEEP

24576:mxltyHQflUh/U5owayCu20tjmbCgCQtAERGsUdMhlh:mxbflOadltgCQsrMhX

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

45.9.74.182/b7djSDcPcZ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assdfmdswkhs.lnk	adb7d29709bbc6b756cca7b7dda5658e.exe

Loads dropped DLL 3 IoCs

pid	Process
1632	rundll32.exe
2112	rundll32.exe
5084	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4796 set thread context of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	5084	WerFault.exe	104

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	adb7d29709bbc6b756cca7b7dda5658e.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4796 wrote to memory of 4584	4796	adb7d29709bbc6b756cca7b7dda5658e.exe	93
PID 4584 wrote to memory of 2112	4584	MsBuild.exe	102
PID 4584 wrote to memory of 2112	4584	MsBuild.exe	102
PID 4584 wrote to memory of 2112	4584	MsBuild.exe	102
PID 4584 wrote to memory of 1632	4584	MsBuild.exe	103
PID 4584 wrote to memory of 1632	4584	MsBuild.exe	103
PID 4584 wrote to memory of 1632	4584	MsBuild.exe	103
PID 2112 wrote to memory of 5084	2112	rundll32.exe	104
PID 2112 wrote to memory of 5084	2112	rundll32.exe	104

C:\Users\Admin\AppData\Local\Temp\adb7d29709bbc6b756cca7b7dda5658e.exe
"C:\Users\Admin\AppData\Local\Temp\adb7d29709bbc6b756cca7b7dda5658e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:5084
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5084 -s 644
        5⤵
        Program crash
        
        PID:1968
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 192 -p 5084 -ip 5084
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
memory/4584-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-163-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-165-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4584-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-159-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-169-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4796-157-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-134-0x0000000000320000-0x0000000000572000-memory.dmp

Filesize
2.3MB

Download
memory/4796-161-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-162-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4796-153-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-151-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-149-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-147-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-145-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-155-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-175-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4796-143-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-141-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-139-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-138-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/4796-137-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4796-136-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4796-135-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/4796-133-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing