amadey | 2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef

General

Target

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe
Size

2.3MB
MD5

adb7d29709bbc6b756cca7b7dda5658e
SHA1

41487c37e04720a70d6f2c467aaacbf999e11bd5
SHA256

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fef
SHA512

f0562cac20ac06a5c2c3f674b02aaf1dab97556f69fa759a410c1618945c89b15c0e49473fe269c13b6fbe133418c77a041857e0fcd0a3d4c6fc1f4aa2b02ff4
SSDEEP

24576:mxltyHQflUh/U5owayCu20tjmbCgCQtAERGsUdMhlh:mxbflOadltgCQsrMhX

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

45.9.74.182/b7djSDcPcZ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Drops startup file 1 IoCs

Processes:

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\assdfmdswkhs.lnk	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3988 rundll32.exe
1368 rundll32.exe
4128 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3988	rundll32.exe
1368	rundll32.exe
4128	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe

description	pid	process	target process
PID 4204 set thread context of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1180 1368 WerFault.exe rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe

description pid process

Token: SeDebugPrivilege 4204 2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe

pid	pid_target	process	target process
1180	1368	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exeMsBuild.exerundll32.exe

description	pid	process	target process
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 4204 wrote to memory of 2840	4204	2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe	MsBuild.exe
PID 2840 wrote to memory of 3988	2840	MsBuild.exe	rundll32.exe
PID 2840 wrote to memory of 3988	2840	MsBuild.exe	rundll32.exe
PID 2840 wrote to memory of 3988	2840	MsBuild.exe	rundll32.exe
PID 2840 wrote to memory of 4128	2840	MsBuild.exe	rundll32.exe
PID 2840 wrote to memory of 4128	2840	MsBuild.exe	rundll32.exe
PID 2840 wrote to memory of 4128	2840	MsBuild.exe	rundll32.exe
PID 3988 wrote to memory of 1368	3988	rundll32.exe	rundll32.exe
PID 3988 wrote to memory of 1368	3988	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2e976baf097df5f017d2ed15f3456345d0180afbf5910432d7629a29fdf75fefexe_JC.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1368
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1368 -s 644
        5⤵
        Program crash
        
        PID:1180
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:4128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1368 -ip 1368
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
89KB

MD5
6cd20776123181baa90224db7c78956c

SHA1
e840b852ad10fbd825374c9c9b9ef45d673cc7e6

SHA256
d1ec02791818eb83a1b7a8b3f98015ed883745f600fe5c1bcf33932c15aa147f

SHA512
e8f83e3bea6574b78d37a56c7e31a6731240f8ab33e31b5bf07cedb53ddd10bef41d7322f1af725dd5278e02b95d89f5de9a2c8ddb86e248ab3cdf8db9cb0b8a

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.1MB

MD5
5ac4952f9d0b64a682762d2ef24c48dc

SHA1
82f2776a790774b092a83deefc52440e0d7d6a84

SHA256
b73a969f9b129f8e89c49f1697078480af1d922ce10607fe3b851d9f6bb428b3

SHA512
e50f33f060c5986dcf4c594d132a56923a4f0926ddd8ff28f8b5435c4998ed9346d17a0bcb815ca5e7e5ab2766baf40940d6810dfddd8512f152c5d55adec2e6

Download Submit
memory/2840-163-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-189-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-165-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4204-159-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-169-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4204-157-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-134-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4204-161-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-162-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/4204-153-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-151-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-149-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-147-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-145-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-155-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-175-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4204-143-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-139-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-141-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-138-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download
memory/4204-137-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4204-136-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4204-135-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/4204-133-0x0000000000040000-0x0000000000292000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads