amadey | 3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8

General

Target

3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe
Size

423KB
MD5

1522b7c5e497da6783a21098b16fa9fd
SHA1

710640977a3444a6c80ccd3ccdcb846586356328
SHA256

3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8
SHA512

25d17615000a928dc11e24377f373a2d2bf406c4b0cfde19d42cc54c0605e5f31dd52b55c32dc0c32374795b101aff4fa4d30a75d8a6671ddb6b8a988141a1ce
SSDEEP

12288:amsJS4JF4LAIc+YGrlsh8I0wi/ajmCau5O9MB6:mS4JF4LAIc+YOliHiu6M

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://51.81.69.127

Attributes

install_dir
31feb4a22c
install_file
Dctooux.exe
strings_key
d97919b780e47328604ef358f75e629a
url_paths
/jPdsj3d4M/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

38 3396 rundll32.exe
39 60 rundll32.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Dctooux.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Dctooux.exe
Executes dropped EXE 1 IoCs

Processes:

Dctooux.exe

pid process

3016 Dctooux.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4200 rundll32.exe
3396 rundll32.exe
60 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in Windows directory 1 IoCs

Processes:

3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
38	3396	rundll32.exe
39	60	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Dctooux.exe

pid	process
3016	Dctooux.exe

pid	process
4200	rundll32.exe
3396	rundll32.exe
60	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exepowershell.exe

pid	process
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
4552	powershell.exe
4552	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4552 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4552	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Dctooux.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3016 wrote to memory of 4200	3016	Dctooux.exe	rundll32.exe
PID 3016 wrote to memory of 4200	3016	Dctooux.exe	rundll32.exe
PID 3016 wrote to memory of 4200	3016	Dctooux.exe	rundll32.exe
PID 4200 wrote to memory of 3396	4200	rundll32.exe	rundll32.exe
PID 4200 wrote to memory of 3396	4200	rundll32.exe	rundll32.exe
PID 3396 wrote to memory of 2204	3396	rundll32.exe	netsh.exe
PID 3396 wrote to memory of 2204	3396	rundll32.exe	netsh.exe
PID 3396 wrote to memory of 4552	3396	rundll32.exe	powershell.exe
PID 3396 wrote to memory of 4552	3396	rundll32.exe	powershell.exe
PID 3016 wrote to memory of 60	3016	Dctooux.exe	rundll32.exe
PID 3016 wrote to memory of 60	3016	Dctooux.exe	rundll32.exe
PID 3016 wrote to memory of 60	3016	Dctooux.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe
"C:\Users\Admin\AppData\Local\Temp\3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9e.exe"
1⤵
- Drops file in Windows directory
PID:2824

C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4552
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:60

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\168293393341

Filesize
78KB

MD5
cc595595733a7502e6657485976e9900

SHA1
af871916823643444c7571286767cc54ef963634

SHA256
0d1223e903356d18fabf86fbbfea4091dda9ad11fd05c729b6e0021ba8104656

SHA512
c93a1b09cb1859d1c8c40baf5dd0aa0fe8a4b9b7bd72f2879d706d75add783c30730fbe18a77893ba2f6c156ffc140b02fc43ff25529b08160196402b8672adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe

Filesize
423KB

MD5
1522b7c5e497da6783a21098b16fa9fd

SHA1
710640977a3444a6c80ccd3ccdcb846586356328

SHA256
3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8

SHA512
25d17615000a928dc11e24377f373a2d2bf406c4b0cfde19d42cc54c0605e5f31dd52b55c32dc0c32374795b101aff4fa4d30a75d8a6671ddb6b8a988141a1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpr0pplv.rkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
109KB

MD5
858c8921fd045dd5a185cd2135d30ee2

SHA1
cee7d814eff1f4239b54389afad56479405aa81f

SHA256
a8b8c5af5a81e7539039bcde6c80428717724bfa84b8f081af4a91f530150b9a

SHA512
861ff1281df64cea9a9d43c3f9967065e7e22347faeae2b918c136be65bc26a9629718992c921c29674a94729d1f2a951f45786fa25b2481417e0ae75b715220

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
805KB

MD5
b043ab13243220cdbba1e07cd370a5de

SHA1
b469a3fa0bb6575e29096cf4ec268d5a3975545c

SHA256
777f152172ac2b47565f49670a1eea2c322adf7da3e36367b26ca1ae11c4cadf

SHA512
21f9c7677257a18d3abc15378f8b9b347c1bd68e930022cff775c94458fe737865c160524d3477e8e85353e026d375174a02defd6a41ef207c8b7af3914a77b1

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
989KB

MD5
7862bf26917205560e9a716295efb4a6

SHA1
950abbd881d1bb073bc8c0f5711208c8a43800ef

SHA256
0b04bcd58c487d3641977aa999a9104a05c83f239362c1c462477955e66554d9

SHA512
7e3b4246b3b6c80934ea9ff31eed11db8f4374e3d81e382db9021ee8b7c5018f27d0211baa5bb25ade8d1ec5015511e2ad6d558529ffb8a074132d814a655423

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
853KB

MD5
1478575256ccb5d2fe1da29619e6fd86

SHA1
04b61c553bbaed425aea0c202b944b9e62e46eba

SHA256
ec799c0a363cfb0aaab67eb8551d0862879dcd962fc5b6725240a6de64150323

SHA512
becca775f5fb917f330cd609a66220a2a8d0694ad86ab01e934637d50aaf87411b8947c237d0e56a921d23d91e3dff5474d14fa06f6662a97fc559de1c215f22

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1007KB

MD5
8f1d8a9601793002e9a53c1097a2f1d1

SHA1
bde2707e582836aedbfcf28a2d91fb915301a2f9

SHA256
f368ae3058d0d6e1eb774bfbf8cc7346087bb1856fef18feafa7e89ff0bd68b8

SHA512
c408f6db99fe40b5157d7df917f3a708b3b89ea5deb130ce528e5375894c0a180e486a823d92a7b0ca132bc587520fa6700a4f2ebe9f069d92c1568c5a4c3f96

Download Submit
memory/4552-38-0x00000260476D0000-0x00000260476E0000-memory.dmp

Filesize
64KB

Download
memory/4552-27-0x0000026048090000-0x00000260480B2000-memory.dmp

Filesize
136KB

Download
memory/4552-39-0x00000260476D0000-0x00000260476E0000-memory.dmp

Filesize
64KB

Download
memory/4552-41-0x00000260476C0000-0x00000260476CA000-memory.dmp

Filesize
40KB

Download
memory/4552-40-0x0000026048200000-0x0000026048212000-memory.dmp

Filesize
72KB

Download
memory/4552-47-0x00007FF9FD260000-0x00007FF9FDD21000-memory.dmp

Filesize
10.8MB

Download
memory/4552-37-0x00007FF9FD260000-0x00007FF9FDD21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing