amadey | a406bfcf106fa5ba45ae292a1f0e5c3e805bec1ce594f2f5b5a012e07f384801

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246bc43dddcb46823b81aa3aab776e87.exe
Size

2.5MB
MD5

246bc43dddcb46823b81aa3aab776e87
SHA1

0d8df13b80d6f50a107be6ad934d0a3353064d06
SHA256

a406bfcf106fa5ba45ae292a1f0e5c3e805bec1ce594f2f5b5a012e07f384801
SHA512

e57ede33f80d833e0d700bb7ea41592a3f15cd02c53c6a6b8526c90230c084e97adfe9e7c0c1b2d9d7a0ce1651f67eed0cce1432bc9fcee13ad2a5aefebe7505
SSDEEP

49152:ZdSgw81FfOUtWIzmpr2uiy1VgBEjsKuo2unZwzPoM0XbXSoxdauV:ygVFWUtWQOxiVJo2unZwKXbX/7au

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://185.172.128.5

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

56 2236 rundll32.exe
75 3108 rundll32.exe
Downloads MZ/PE file

flow	pid	process
56	2236	rundll32.exe
75	3108	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

246bc43dddcb46823b81aa3aab776e87.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	246bc43dddcb46823b81aa3aab776e87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 4 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

4020 Utsysc.exe
368 Utsysc.exe
4568 Utsysc.exe
3236 Utsysc.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3864 rundll32.exe
2236 rundll32.exe
3108 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4500 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exe

pid process

2236 rundll32.exe
2236 rundll32.exe
2236 rundll32.exe
2236 rundll32.exe
2236 rundll32.exe
2236 rundll32.exe
2236 rundll32.exe
2236 rundll32.exe

pid	process
4020	Utsysc.exe
368	Utsysc.exe
4568	Utsysc.exe
3236	Utsysc.exe

pid	process
3864	rundll32.exe
2236	rundll32.exe
3108	rundll32.exe

pid	process
4500	schtasks.exe

pid	process
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe
2236	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

246bc43dddcb46823b81aa3aab776e87.exeUtsysc.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3116 wrote to memory of 4020	3116	246bc43dddcb46823b81aa3aab776e87.exe	Utsysc.exe
PID 3116 wrote to memory of 4020	3116	246bc43dddcb46823b81aa3aab776e87.exe	Utsysc.exe
PID 3116 wrote to memory of 4020	3116	246bc43dddcb46823b81aa3aab776e87.exe	Utsysc.exe
PID 4020 wrote to memory of 4500	4020	Utsysc.exe	schtasks.exe
PID 4020 wrote to memory of 4500	4020	Utsysc.exe	schtasks.exe
PID 4020 wrote to memory of 4500	4020	Utsysc.exe	schtasks.exe
PID 4020 wrote to memory of 3864	4020	Utsysc.exe	rundll32.exe
PID 4020 wrote to memory of 3864	4020	Utsysc.exe	rundll32.exe
PID 4020 wrote to memory of 3864	4020	Utsysc.exe	rundll32.exe
PID 3864 wrote to memory of 2236	3864	rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 2236	3864	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 2644	2236	rundll32.exe	netsh.exe
PID 2236 wrote to memory of 2644	2236	rundll32.exe	netsh.exe
PID 2236 wrote to memory of 116	2236	rundll32.exe	tar.exe
PID 2236 wrote to memory of 116	2236	rundll32.exe	tar.exe
PID 4020 wrote to memory of 3108	4020	Utsysc.exe	rundll32.exe
PID 4020 wrote to memory of 3108	4020	Utsysc.exe	rundll32.exe
PID 4020 wrote to memory of 3108	4020	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\246bc43dddcb46823b81aa3aab776e87.exe
"C:\Users\Admin\AppData\Local\Temp\246bc43dddcb46823b81aa3aab776e87.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:2644

C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\963151031488_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
5⤵
PID:116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3108

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
- Executes dropped EXE
PID:368

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
- Executes dropped EXE
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
Filesize
1.0MB

MD5
5df5da0123431e261ee650940b800658

SHA1
1ce157a36c7ee261c7a7d9fa5815d120afedf012

SHA256
ef69d58051ff6dd06413b3befbe68dce9de8e06e29de879d4c2b8a7f77b931d0

SHA512
d97ca04e066145b43fcba767350dbfa069511ee0e5b99bb7dd087f007b0a41eb1e5a4ba714a199819e68984a494b8eaf4388f5c5f1afc579a26d831c9edd4c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
Filesize
784KB

MD5
8b161e500e9d19eaabb70fa5ecccf525

SHA1
877ad891095b6ce5207bf5133bc79502e0b99c33

SHA256
3ec1f51cb35915a38daab92b6ec5504c8589e1e7a74be228d98ee523539098b3

SHA512
ea77c80c78ea6a95829b33112c084fe84cc1494bdc2bb11b761af3cbcf42a5f8bf0620250f4863ad7e76c9a95f189a033fde79f5200fe7f8535a5b50205a5d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
Filesize
1.7MB

MD5
122c9f978f4bcee3e251b1486bd65a7d

SHA1
429d17fd2d8f814518200657313bc42750265c36

SHA256
7421555f02783ef4f8a15373114d57729f99c0d182fa2181f9627eead4abacc0

SHA512
e70f2f275c6b251d11bd3b0ae59e17ffd66bf6417e317c350f178741552aad3cce23aa12a9cf4ac7a3930f7f8d04765d01eef03c73d86228e8c9e9382f021cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
Filesize
2.5MB

MD5
246bc43dddcb46823b81aa3aab776e87

SHA1
0d8df13b80d6f50a107be6ad934d0a3353064d06

SHA256
a406bfcf106fa5ba45ae292a1f0e5c3e805bec1ce594f2f5b5a012e07f384801

SHA512
e57ede33f80d833e0d700bb7ea41592a3f15cd02c53c6a6b8526c90230c084e97adfe9e7c0c1b2d9d7a0ce1651f67eed0cce1432bc9fcee13ad2a5aefebe7505

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
Filesize
149KB

MD5
bdf80152004f885acfc79c57ba2c92bc

SHA1
9d3be2620faee820d1269d28fa9ef3ec3248529c

SHA256
12290c7a709d319ff82233597f6345347da23601cc47fbfa8e1095f484fa33ca

SHA512
eb3c6a94507a680550b0482b8a97c8420cedaa7c060e244fceec91c6ac6c03b53ec4459108d51b1fde45fdc413534d299655b716951539d42bef4a6132adeece

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
Filesize
888KB

MD5
3e1f05956114693c005a4d50e418f9ff

SHA1
13fec3c7a98463361ece10ffc6757080ff2d133d

SHA256
4ba572aa9a661551c47dcb492fca79996b4cf5973cb5db2a8160a90ca17d6518

SHA512
05ed62ef52063106d367214fb53230e1e82479fa9168d3e0ceba3619f62bfb02a3c4ed649cd7d0cd43fe712e20274b237c2bb9ca648a0069cb20a4aa47d07eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\963151031488
Filesize
83KB

MD5
9f2750a47428f622ec8c18fae9eda32b

SHA1
7accf0a0cd3fc9c020d83db39c67d0a2e2542f96

SHA256
73bf20140cb927afead4fcb0e0696ed73db21ef26c6a594fde1676234423b9d2

SHA512
73f51649c727b63ea16074f2e4d69f2184535c60bfa64adf97b8d5d934b242f0bafcfa3da606a4c2024b1a46a5a8c62bbd4f2602c1d09347ce993f8ff5736e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\963151031488_Desktop.tar
Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
Filesize
102KB

MD5
c06513af505f65393b4ebcd2a11a2ee4

SHA1
6e9e8a6b93fc9afbcc781790881d821b0bfb0821

SHA256
f5d35a2366cf13312a30c9384f1ac30d9dc9ced46fa6b1b9c2d0621493cc2495

SHA512
b90b8dc0571b2dde83c5ceaa4f12f203973bc2049663c0a840fa20a900bc7018f1f392f10273a607e816ccaf8a2b4f70bbc30b354437a2c9aecf5626b7c0a5ce

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll
Filesize
1.2MB

MD5
b5cdfc4ca11aa7705c605fd93538a310

SHA1
c9c1baac2fe2be6d924cea5affa0518aa665dc3f

SHA256
92342e62a3f51b7e205863f58b6a0e0145c4fecc31d40049b91e97ed0bb710ca

SHA512
fd7c24e0bdf859a8e2025aa8200e8096af6d392662cfc5ffb0d1b5febdec45612145848facef76582503c893c778390fb676a6b9530d4bf231987fdfc8eb0745

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll
Filesize
1.1MB

MD5
94dd4ac76cefca7c138bc514c6f9e004

SHA1
b152d750a04000cc6129baa4d70f6b625ff6fe1c

SHA256
1a47e66ab42b54c7250219caeb7966b45e59468b93dc0786de03f9793a90dcb8

SHA512
cf11a6fe69694223220fad9540f881653ed383d02365dbe8cfc187ee735e8c93f47f8ad8e598ffdae05482df94e067aa48fe1836a95a8c53fcfe87b6850aef48

Download Submit
memory/368-43-0x0000000000D50000-0x0000000001180000-memory.dmp

Filesize
4.2MB

Download
memory/3116-0-0x0000000000920000-0x0000000000D50000-memory.dmp

Filesize
4.2MB

Download
memory/3236-62-0x0000000000D50000-0x0000000001180000-memory.dmp

Filesize
4.2MB

Download
memory/4020-15-0x0000000000D50000-0x0000000001180000-memory.dmp

Filesize
4.2MB

Download
memory/4568-58-0x0000000000D50000-0x0000000001180000-memory.dmp

Filesize
4.2MB

Download