amadey | e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39

Analysis

max time kernel
124s
max time network
130s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
02-08-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe
Size

2.3MB
MD5

16b1f45f29fed3bf39fce00a5d96801d
SHA1

ea0cc0ae35cde2ad52334eb7774ec2eeeb401ab5
SHA256

e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39
SHA512

1808dbf0ede3d285e3f8ecfe506f9d515b1165f6d94c5da81a75f8ed2ea9d555eb2fc19f9f9677a20a071621ac1c6005b00b270a53d3890af51bbe48496b59b1
SSDEEP

49152:hAGvEatXgm/pMqnAK/42RSccGAL1bo+pNf333Toj:OvnLBo+pNf333T4

Score

10^/10

amadey persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.86

45.9.74.182/b7djSDcPcZ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assdfmdswkhs.lnk	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe

Loads dropped DLL 3 IoCs

pid	Process
4804	rundll32.exe
512	rundll32.exe
996	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Windows\CurrentVersion\Run\setup.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\setup.dll, rundll"	MsBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4916	512	WerFault.exe	75

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 2348 wrote to memory of 4664	2348	e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe	70
PID 4664 wrote to memory of 1000	4664	MsBuild.exe	71
PID 4664 wrote to memory of 1000	4664	MsBuild.exe	71
PID 4664 wrote to memory of 1000	4664	MsBuild.exe	71
PID 4664 wrote to memory of 4804	4664	MsBuild.exe	73
PID 4664 wrote to memory of 4804	4664	MsBuild.exe	73
PID 4664 wrote to memory of 4804	4664	MsBuild.exe	73
PID 4804 wrote to memory of 512	4804	rundll32.exe	75
PID 4804 wrote to memory of 512	4804	rundll32.exe	75
PID 4664 wrote to memory of 996	4664	MsBuild.exe	74
PID 4664 wrote to memory of 996	4664	MsBuild.exe	74
PID 4664 wrote to memory of 996	4664	MsBuild.exe	74

C:\Users\Admin\AppData\Local\Temp\e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe
"C:\Users\Admin\AppData\Local\Temp\e70c853938f467faf43b4bb571cd4bfa782fbda179a864cc80680190b7557c39.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\setup.dll, rundll
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:512
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 512 -s 596
        5⤵
        Program crash
        
        PID:4916
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000058061\setup.dll

Filesize
7KB

MD5
c72ae097bc9d2737e20046b0610b9fab

SHA1
3087154a1d4752afc6cd1043ffed6f9203ad324e

SHA256
a8a284f377cb9f21c53e5553234ecb693dc4c2c38f3306b6cde4aead5e05e913

SHA512
6225e27319d828ae7aadf011a959a5b1b67cffdd1bedbbaed2a53bd3fd71457ed872016dcb17bfd1ba713e324c7fe4b3076923eacd067052cad28f038bd831fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\setup.dll

Filesize
7KB

MD5
c72ae097bc9d2737e20046b0610b9fab

SHA1
3087154a1d4752afc6cd1043ffed6f9203ad324e

SHA256
a8a284f377cb9f21c53e5553234ecb693dc4c2c38f3306b6cde4aead5e05e913

SHA512
6225e27319d828ae7aadf011a959a5b1b67cffdd1bedbbaed2a53bd3fd71457ed872016dcb17bfd1ba713e324c7fe4b3076923eacd067052cad28f038bd831fb

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
memory/2348-132-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-129-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-136-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-138-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-140-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-142-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-144-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-146-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-148-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-150-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-152-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-153-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2348-123-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-124-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/2348-125-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-126-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2348-127-0x0000000005030000-0x0000000005082000-memory.dmp

Filesize
328KB

Download
memory/2348-122-0x0000000000510000-0x0000000000768000-memory.dmp

Filesize
2.3MB

Download
memory/2348-130-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/2348-166-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2348-128-0x0000000005080000-0x000000000509C000-memory.dmp

Filesize
112KB

Download
memory/2348-173-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-134-0x0000000005080000-0x0000000005095000-memory.dmp

Filesize
84KB

Download
memory/4664-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-158-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-157-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-155-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4664-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads