amadey | 3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8

General

Target

Amadey.exe
Size

423KB
MD5

1522b7c5e497da6783a21098b16fa9fd
SHA1

710640977a3444a6c80ccd3ccdcb846586356328
SHA256

3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8
SHA512

25d17615000a928dc11e24377f373a2d2bf406c4b0cfde19d42cc54c0605e5f31dd52b55c32dc0c32374795b101aff4fa4d30a75d8a6671ddb6b8a988141a1ce
SSDEEP

12288:amsJS4JF4LAIc+YGrlsh8I0wi/ajmCau5O9MB6:mS4JF4LAIc+YOliHiu6M

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://51.81.69.127

Attributes

install_dir
31feb4a22c
install_file
Dctooux.exe
strings_key
d97919b780e47328604ef358f75e629a
url_paths
/jPdsj3d4M/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

42 1028 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Dctooux.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation Dctooux.exe
Executes dropped EXE 1 IoCs

Processes:

Dctooux.exe

pid process

4804 Dctooux.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

804 rundll32.exe
1028 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in Windows directory 1 IoCs

Processes:

Amadey.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job Amadey.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
42	1028	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Dctooux.exe

pid	process
4804	Dctooux.exe

pid	process
804	rundll32.exe
1028	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	Amadey.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exepowershell.exe

pid	process
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
1028	rundll32.exe
4344	powershell.exe
4344	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4344 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Amadey.exe

pid process

2340 Amadey.exe

description	pid	process
Token: SeDebugPrivilege	4344	powershell.exe

pid	process
2340	Amadey.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Dctooux.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4804 wrote to memory of 804	4804	Dctooux.exe	rundll32.exe
PID 4804 wrote to memory of 804	4804	Dctooux.exe	rundll32.exe
PID 4804 wrote to memory of 804	4804	Dctooux.exe	rundll32.exe
PID 804 wrote to memory of 1028	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 1028	804	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 4460	1028	rundll32.exe	netsh.exe
PID 1028 wrote to memory of 4460	1028	rundll32.exe	netsh.exe
PID 1028 wrote to memory of 4344	1028	rundll32.exe	powershell.exe
PID 1028 wrote to memory of 4344	1028	rundll32.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\Amadey.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2340

C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\073191680435_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\073191680435

Filesize
80KB

MD5
6d198eee6befe1e9a63f2c081c4834ec

SHA1
017fc8c03870b640469254527da1f37f28767bf8

SHA256
064afc237a47e6d98890f0ca3aae46f843e7a2c8ecde104c883063f81ccd211e

SHA512
1d9e1d739d9d1072f7451cd041f91485dc551c5d569d996d5da527b0004e2b8e178896b30a0295728cc0b3afffb0f340467b1d679f21ea4cfad55fbead51de4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31feb4a22c\Dctooux.exe

Filesize
423KB

MD5
1522b7c5e497da6783a21098b16fa9fd

SHA1
710640977a3444a6c80ccd3ccdcb846586356328

SHA256
3bb45ee150f445209bc66044d461a5bfd4c1ff424bc9eaf016eb2dac6fd6c1b8

SHA512
25d17615000a928dc11e24377f373a2d2bf406c4b0cfde19d42cc54c0605e5f31dd52b55c32dc0c32374795b101aff4fa4d30a75d8a6671ddb6b8a988141a1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfdwsw3q.mqz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.2MB

MD5
a1fbee549a00971cece863265a7403aa

SHA1
43ebf62f631c13391eb49ae23cb7f9c2cb6e56f7

SHA256
d79b3d620f65afb01eaf106d7c355f6bc47f9da173d39bab17091dcf05a792c0

SHA512
3079cb01fb5a1d452f685c9c2eab42985d407b7529cf900b8cc834cd67c6022aa74d5f11d9db95fc4b40122a4019ef529ff5f44de22c9b54e20923b847567a41

Download Submit
memory/4344-27-0x000001DEC18C0000-0x000001DEC18E2000-memory.dmp

Filesize
136KB

Download
memory/4344-37-0x00007FFD789D0000-0x00007FFD79491000-memory.dmp

Filesize
10.8MB

Download
memory/4344-38-0x000001DEA7530000-0x000001DEA7540000-memory.dmp

Filesize
64KB

Download
memory/4344-39-0x000001DEA7530000-0x000001DEA7540000-memory.dmp

Filesize
64KB

Download
memory/4344-40-0x000001DEC1DC0000-0x000001DEC1DD2000-memory.dmp

Filesize
72KB

Download
memory/4344-41-0x000001DEC1DA0000-0x000001DEC1DAA000-memory.dmp

Filesize
40KB

Download
memory/4344-47-0x00007FFD789D0000-0x00007FFD79491000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing