amadey | 9a992de6256ebd4206d07cc5916011ef631d9798161de0a05ff1c114bbf241d7

General

Target

SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe
Size

3.0MB
MD5

3eedb7ab4ab81081e6fe25b117d4698c
SHA1

20540442599ee9f254f3b7adfe116c2890cd227d
SHA256

9a992de6256ebd4206d07cc5916011ef631d9798161de0a05ff1c114bbf241d7
SHA512

5e1426b420c647bed333235763517d91aa6f8b19e52b4d100bb2ad8f1024592e1e82b4c15ed2b4275258fca99b2a71b740c2551200973dbb31bbf7343fd2b58d
SSDEEP

49152:ehsWom5L52gTmt+XMnJO39/34+DCTeenrfQpGHu4HSZWYExaO3s45O7ZdyAbm5NQ:eyPi2gTmtyMJO9/o2CFnTQ2jyZWYExaq

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://5.42.66.29

Attributes

install_dir
f60f0ba310
install_file
Dctooux.exe
strings_key
f34f781563773d1d56ad6459936524d1
url_paths
/b9djjcaSed/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow	pid	Process
29	3320	rundll32.exe
40	3160	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Dctooux.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Dctooux.exe

Executes dropped EXE 1 IoCs

Processes:

Dctooux.exe

pid	Process
1788	Dctooux.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid	Process
3504	rundll32.exe
3320	rundll32.exe
3160	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

Processes:

SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exepowershell.exe

pid	Process
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
5068	powershell.exe
5068	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	5068	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe

pid	Process
5000	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exeDctooux.exe

pid	Process
5000	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe
5000	SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe
1788	Dctooux.exe
1788	Dctooux.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Dctooux.exerundll32.exerundll32.exe

description	pid	Process	procid_target
PID 1788 wrote to memory of 3504	1788	Dctooux.exe	92
PID 1788 wrote to memory of 3504	1788	Dctooux.exe	92
PID 1788 wrote to memory of 3504	1788	Dctooux.exe	92
PID 3504 wrote to memory of 3320	3504	rundll32.exe	93
PID 3504 wrote to memory of 3320	3504	rundll32.exe	93
PID 3320 wrote to memory of 1176	3320	rundll32.exe	94
PID 3320 wrote to memory of 1176	3320	rundll32.exe	94
PID 3320 wrote to memory of 5068	3320	rundll32.exe	96
PID 3320 wrote to memory of 5068	3320	rundll32.exe	96
PID 1788 wrote to memory of 3160	1788	Dctooux.exe	99
PID 1788 wrote to memory of 3160	1788	Dctooux.exe	99
PID 1788 wrote to memory of 3160	1788	Dctooux.exe	99

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Backdoor.Farfli.2656.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\815711207184_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5068
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\815711207184

Filesize
76KB

MD5
90e761dbd5bab006ba538f34198333fe

SHA1
c6da1026e6f4cfbe27b8ea1399fb399c386988eb

SHA256
04bc87aed9d9e731f496c6c28b9e1f137f7c595ada7bed54700b435298cf9798

SHA512
2c7d3cc8d20d5a206f58ffc522e0aeb3defbf2c63e0e93b2079cbf1986bb1eec7020661bf03bb2fdd38f65d2c8cf9aff2696b861670fe8add2c83eefa7b81fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yanzk0a4.xpy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe

Filesize
710KB

MD5
ba26c9865ae3af654311ed950626e5dd

SHA1
4e6290dc69d35394d492c06333e5eedd07020a7e

SHA256
04a3c4e62fac11b23d41618a1f32d625a86bc2302add773ddf401e6943b7d59a

SHA512
a23b6d359cf92f4da9c2376235fe35fab3cfdba229e3c58bd6d6e9aacc9d1a6ff545b3ed36e748e53ff39c5effb203ce7fb53e6943e6b044e6e78be30551f480

Download Submit
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe

Filesize
880KB

MD5
a37eaf425b9b88b08e4d9803255e16ab

SHA1
0a144ad91f397b24721bbcc1f57d5c258ef9603a

SHA256
353c53d9f044bdc776b05345ea5f374926d131c078c5a2406d000aa4c1143958

SHA512
4fc68e87935f4332b185746242669f60013875b40f3ed06c1a8487b089c3f487110b80b3a7f3624e7681dac0a56bc11f5cee78b1c2f9a8c113032f2e68744b55

Download Submit
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dll

Filesize
102KB

MD5
71a702fdf12308ed3280124ff4672112

SHA1
6d6c0a908cf5fc03a7ff43952c7a3c6e45706e64

SHA256
9295c4db4958d3092abd0bcb7daceb7bb4e64aca5dad103a7312adbd92b675e7

SHA512
e14d006f3c3030c00933ee18a2d7af844c938aff0c687b413b546c169dfd37a7d8bb1babf78024cd49dba11b87802c395cc2e095a9002a96103f8f085322932a

Download Submit
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll

Filesize
1.2MB

MD5
f0f298f43957b3d142d6a38a61baaa90

SHA1
69f0d367654ce5e789b6822b425d77f88332d7ef

SHA256
cffe9550d9e114d12971691a577c134a6438aaaeebe82688c51776fd243a41ce

SHA512
e352155ac426a1c27c7eac379c7c12b8f48f4ae4696e759c9cc6a4f743b948ceced6fefa793dd70635b8a0ac7560a0c0f3bf4d9611ff85a55b23950066860a18

Download Submit
C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll

Filesize
1018KB

MD5
c21624444cca158de98adc9123fabd90

SHA1
994daa335789f220363dd3ad372cd4492d4510a9

SHA256
c807c0f42fa768f89ae6fbc802076b35b3756f575239a9873a3522ebe76b1d5f

SHA512
fa42cc58d36d1b410b28c842734bc540a5cf41b56199c39ee272bd96f6e656242b5aeb7a7ad3e76d42415bdc4b0cf6411a34106054f39fa93d3cf6cceb382a9d

Download Submit
memory/1788-12-0x0000000000B20000-0x000000000103C000-memory.dmp

Filesize
5.1MB

Download
memory/1788-60-0x0000000000B20000-0x000000000103C000-memory.dmp

Filesize
5.1MB

Download
memory/1788-14-0x00000000049E0000-0x0000000004A4F000-memory.dmp

Filesize
444KB

Download
memory/1788-71-0x00000000049E0000-0x0000000004A4F000-memory.dmp

Filesize
444KB

Download
memory/1788-13-0x00000000049E0000-0x0000000004A4F000-memory.dmp

Filesize
444KB

Download
memory/1788-61-0x00000000049E0000-0x0000000004A4F000-memory.dmp

Filesize
444KB

Download
memory/5000-0-0x00000000002A0000-0x00000000007BC000-memory.dmp

Filesize
5.1MB

Download
memory/5000-7-0x00000000002A0000-0x00000000007BC000-memory.dmp

Filesize
5.1MB

Download
memory/5000-8-0x00000000041E0000-0x000000000424F000-memory.dmp

Filesize
444KB

Download
memory/5000-2-0x00000000041E0000-0x000000000424F000-memory.dmp

Filesize
444KB

Download
memory/5000-1-0x00000000002A0000-0x00000000007BC000-memory.dmp

Filesize
5.1MB

Download
memory/5068-49-0x00000230A9790000-0x00000230A97A0000-memory.dmp

Filesize
64KB

Download
memory/5068-53-0x00000230915F0000-0x00000230915FA000-memory.dmp

Filesize
40KB

Download
memory/5068-52-0x00000230A9770000-0x00000230A9782000-memory.dmp

Filesize
72KB

Download
memory/5068-59-0x00007FFCA0C40000-0x00007FFCA1701000-memory.dmp

Filesize
10.8MB

Download
memory/5068-50-0x00000230A9790000-0x00000230A97A0000-memory.dmp

Filesize
64KB

Download
memory/5068-51-0x00000230A9790000-0x00000230A97A0000-memory.dmp

Filesize
64KB

Download
memory/5068-48-0x00007FFCA0C40000-0x00007FFCA1701000-memory.dmp

Filesize
10.8MB

Download
memory/5068-43-0x00000230915A0000-0x00000230915C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads