amadey | 9a992de6256ebd4206d07cc5916011ef631d9798161de0a05ff1c114bbf241d7

General

Target

SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe
Size

3.0MB
MD5

3eedb7ab4ab81081e6fe25b117d4698c
SHA1

20540442599ee9f254f3b7adfe116c2890cd227d
SHA256

9a992de6256ebd4206d07cc5916011ef631d9798161de0a05ff1c114bbf241d7
SHA512

5e1426b420c647bed333235763517d91aa6f8b19e52b4d100bb2ad8f1024592e1e82b4c15ed2b4275258fca99b2a71b740c2551200973dbb31bbf7343fd2b58d
SSDEEP

49152:ehsWom5L52gTmt+XMnJO39/34+DCTeenrfQpGHu4HSZWYExaO3s45O7ZdyAbm5NQ:eyPi2gTmtyMJO9/o2CFnTQ2jyZWYExaq

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://5.42.66.29

Attributes

install_dir
f60f0ba310
install_file
Dctooux.exe
strings_key
f34f781563773d1d56ad6459936524d1
url_paths
/b9djjcaSed/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 2 IoCs

flow	pid	Process
37	4248	rundll32.exe
41	3148	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Dctooux.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	Dctooux.exe

Loads dropped DLL 3 IoCs

pid	Process
4400	rundll32.exe
4248	rundll32.exe
3148	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4276	4424	WerFault.exe	76
5012	4424	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4248	rundll32.exe
4440	powershell.exe
4440	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4424	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4424	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe
4424	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe
3100	Dctooux.exe
3100	Dctooux.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4400	3100	Dctooux.exe	98
PID 3100 wrote to memory of 4400	3100	Dctooux.exe	98
PID 3100 wrote to memory of 4400	3100	Dctooux.exe	98
PID 4400 wrote to memory of 4248	4400	rundll32.exe	99
PID 4400 wrote to memory of 4248	4400	rundll32.exe	99
PID 4248 wrote to memory of 2168	4248	rundll32.exe	100
PID 4248 wrote to memory of 2168	4248	rundll32.exe	100
PID 4248 wrote to memory of 4440	4248	rundll32.exe	102
PID 4248 wrote to memory of 4440	4248	rundll32.exe	102
PID 3100 wrote to memory of 3148	3100	Dctooux.exe	104
PID 3100 wrote to memory of 3148	3100	Dctooux.exe	104
PID 3100 wrote to memory of 3148	3100	Dctooux.exe	104

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Backdoor.Farfli.2656.4301.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 936
  2⤵
  - Program crash
  PID:4276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 892
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4424 -ip 4424
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4424 -ip 4424
1⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\336304223297_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4440
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\336304223297

Filesize
79KB

MD5
6349c48b9d812d2969c51a75f0856dca

SHA1
29487f449ec673091395ad1934cc083cfa381cab

SHA256
ab32d7d373a4b4e7dd4b6e73cd808babccb52ef9ccc53990694dcf6d0c11426c

SHA512
e135c4fce3b6c432fdafbbd4e15782e910173df3ae3827b9fb6a4bc1b1e0107a9304d922fb135166688c0dbd631ffd62cedf53538aab37aa33e56fcbb40fd774

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjc3ybqu.fkg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe

Filesize
2.7MB

MD5
0df4aabf39078670667b3109095c46b3

SHA1
67d7f2841d5d42331b182c1e217ff1a69e1559e4

SHA256
c557e71e5147355443de0830b57986877fa50d65e5e3b85257c5bd0763d885f0

SHA512
d7695ac813506e2c9872f70c9430d9ff23435a7e4c81ee9ce81fe150d6e17c339a199f43502a95e083612562367aa9b25632a2e5b07a5c50ccc059b3004f6d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe

Filesize
2.6MB

MD5
85df28ccaad6d8f00726175cd1e4429c

SHA1
94d7b955a8ce95306f35920fec6dd50101ce4b28

SHA256
10caf9d6045963a1ea13fb6b48025e8dbddfe7da67b3741f40d44c1d50d89356

SHA512
c07263a0da17fe0cd9d30e5aa637c6a0def20e0b28921ac6082cf930cba513b2a183e8d9d5c0b78a415ad3458ba6a3beec26e8604a027d8371ca16819cf41ee6

Download Submit
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dll

Filesize
102KB

MD5
71a702fdf12308ed3280124ff4672112

SHA1
6d6c0a908cf5fc03a7ff43952c7a3c6e45706e64

SHA256
9295c4db4958d3092abd0bcb7daceb7bb4e64aca5dad103a7312adbd92b675e7

SHA512
e14d006f3c3030c00933ee18a2d7af844c938aff0c687b413b546c169dfd37a7d8bb1babf78024cd49dba11b87802c395cc2e095a9002a96103f8f085322932a

Download Submit
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll

Filesize
1.2MB

MD5
f0f298f43957b3d142d6a38a61baaa90

SHA1
69f0d367654ce5e789b6822b425d77f88332d7ef

SHA256
cffe9550d9e114d12971691a577c134a6438aaaeebe82688c51776fd243a41ce

SHA512
e352155ac426a1c27c7eac379c7c12b8f48f4ae4696e759c9cc6a4f743b948ceced6fefa793dd70635b8a0ac7560a0c0f3bf4d9611ff85a55b23950066860a18

Download Submit
memory/3100-60-0x00000000043E0000-0x000000000444F000-memory.dmp

Filesize
444KB

Download
memory/3100-70-0x00000000043E0000-0x000000000444F000-memory.dmp

Filesize
444KB

Download
memory/3100-59-0x0000000000960000-0x0000000000E7C000-memory.dmp

Filesize
5.1MB

Download
memory/3100-12-0x0000000000960000-0x0000000000E7C000-memory.dmp

Filesize
5.1MB

Download
memory/3100-13-0x00000000043E0000-0x000000000444F000-memory.dmp

Filesize
444KB

Download
memory/3100-14-0x00000000043E0000-0x000000000444F000-memory.dmp

Filesize
444KB

Download
memory/4424-8-0x00000000042B0000-0x000000000431F000-memory.dmp

Filesize
444KB

Download
memory/4424-0-0x0000000000560000-0x0000000000A7C000-memory.dmp

Filesize
5.1MB

Download
memory/4424-7-0x0000000000560000-0x0000000000A7C000-memory.dmp

Filesize
5.1MB

Download
memory/4424-2-0x00000000042B0000-0x000000000431F000-memory.dmp

Filesize
444KB

Download
memory/4424-1-0x0000000000560000-0x0000000000A7C000-memory.dmp

Filesize
5.1MB

Download
memory/4440-43-0x000001AD4C720000-0x000001AD4C742000-memory.dmp

Filesize
136KB

Download
memory/4440-51-0x000001AD4CAB0000-0x000001AD4CAC2000-memory.dmp

Filesize
72KB

Download
memory/4440-58-0x00007FFF42A00000-0x00007FFF434C1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-52-0x000001AD4CA90000-0x000001AD4CA9A000-memory.dmp

Filesize
40KB

Download
memory/4440-50-0x000001AD4A6A0000-0x000001AD4A6B0000-memory.dmp

Filesize
64KB

Download
memory/4440-49-0x000001AD4A6A0000-0x000001AD4A6B0000-memory.dmp

Filesize
64KB

Download
memory/4440-48-0x00007FFF42A00000-0x00007FFF434C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing