amadey | 3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8

General

Target

3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe
Size

423KB
MD5

1522b7c5e497da6783a21098b16fa9fd
SHA1

710640977a3444a6c80ccd3ccdcb846586356328
SHA256

3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8
SHA512

25d17615000a928dc11e24377f373a2d2bf406c4b0cfde19d42cc54c0605e5f31dd52b55c32dc0c32374795b101aff4fa4d30a75d8a6671ddb6b8a988141a1ce
SSDEEP

12288:amsJS4JF4LAIc+YGrlsh8I0wi/ajmCau5O9MB6:mS4JF4LAIc+YOliHiu6M

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://51.81.69.127

Attributes

install_dir
31feb4a22c
install_file
Dctooux.exe
strings_key
d97919b780e47328604ef358f75e629a
url_paths
/jPdsj3d4M/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 2 IoCs

flow	pid	Process
39	808	rundll32.exe
41	2380	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Dctooux.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	Dctooux.exe

Loads dropped DLL 3 IoCs

pid	Process
1696	rundll32.exe
808	rundll32.exe
2380	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
4820	powershell.exe
4820	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1696	2312	Dctooux.exe	94
PID 2312 wrote to memory of 1696	2312	Dctooux.exe	94
PID 2312 wrote to memory of 1696	2312	Dctooux.exe	94
PID 1696 wrote to memory of 808	1696	rundll32.exe	95
PID 1696 wrote to memory of 808	1696	rundll32.exe	95
PID 808 wrote to memory of 1944	808	rundll32.exe	96
PID 808 wrote to memory of 1944	808	rundll32.exe	96
PID 808 wrote to memory of 4820	808	rundll32.exe	98
PID 808 wrote to memory of 4820	808	rundll32.exe	98
PID 2312 wrote to memory of 2380	2312	Dctooux.exe	100
PID 2312 wrote to memory of 2380	2312	Dctooux.exe	100
PID 2312 wrote to memory of 2380	2312	Dctooux.exe	100

C:\Users\Admin\AppData\Local\Temp\3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe
"C:\Users\Admin\AppData\Local\Temp\3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe"
1⤵
- Drops file in Windows directory
PID:4236

C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe

Filesize
423KB

MD5
1522b7c5e497da6783a21098b16fa9fd

SHA1
710640977a3444a6c80ccd3ccdcb846586356328

SHA256
3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8

SHA512
25d17615000a928dc11e24377f373a2d2bf406c4b0cfde19d42cc54c0605e5f31dd52b55c32dc0c32374795b101aff4fa4d30a75d8a6671ddb6b8a988141a1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\497073144238

Filesize
75KB

MD5
ab30477f9166fe83f238a0e742c6eb76

SHA1
72d283f8f185cad8adf649afc0dc97e7a0bb9b5f

SHA256
a87211f6bf4b2ea31727115290067b9fb4d4edfb0a412529d301e786b32c5715

SHA512
51085963dec7cb8b89d64f087d4735d34201257f13d9a15283d8b99cbb9d4a1d5037b7dd69fd01faad8813fcd5052c9b64d17e6e40438619bb5048aa0c1a59e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvvavtj4.pgq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
109KB

MD5
858c8921fd045dd5a185cd2135d30ee2

SHA1
cee7d814eff1f4239b54389afad56479405aa81f

SHA256
a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

SHA512
861ff1281df64cea9a9d43c3f9967065e7e22347faeae2b918c136be65bc26a9629718992c921c29674a94729d1f2a951f45786fa25b2481417e0ae75b715220

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.2MB

MD5
a1fbee549a00971cece863265a7403aa

SHA1
43ebf62f631c13391eb49ae23cb7f9c2cb6e56f7

SHA256
d79b3d620f65afb01eaf106d7c355f6bc47f9da173d39bab17091dcf05a792c0

SHA512
3079cb01fb5a1d452f685c9c2eab42985d407b7529cf900b8cc834cd67c6022aa74d5f11d9db95fc4b40122a4019ef529ff5f44de22c9b54e20923b847567a41

Download Submit
memory/4820-38-0x0000024B5CE40000-0x0000024B5CE50000-memory.dmp

Filesize
64KB

Download
memory/4820-37-0x00007FF8B64A0000-0x00007FF8B6F61000-memory.dmp

Filesize
10.8MB

Download
memory/4820-39-0x0000024B5CE40000-0x0000024B5CE50000-memory.dmp

Filesize
64KB

Download
memory/4820-40-0x0000024B5CE40000-0x0000024B5CE50000-memory.dmp

Filesize
64KB

Download
memory/4820-42-0x0000024B5D910000-0x0000024B5D91A000-memory.dmp

Filesize
40KB

Download
memory/4820-41-0x0000024B5D940000-0x0000024B5D952000-memory.dmp

Filesize
72KB

Download
memory/4820-48-0x00007FF8B64A0000-0x00007FF8B6F61000-memory.dmp

Filesize
10.8MB

Download
memory/4820-32-0x0000024B5CE50000-0x0000024B5CE72000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing