amadey | c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b

Analysis

max time kernel
295s
max time network
242s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe
Size

388KB
MD5

0de19cd17462ea79db1a5e5fd1d7f59f
SHA1

d2b313dcfbda9a04475fc01182336b52846bbe3b
SHA256

c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b
SHA512

0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c
SSDEEP

6144:xw5S4d8nVyt7UcbfbXoAZvKAHiq7bSVXVU/OooMQEqChuiTAOxiMd:+5B/Uczb4AZvKAHuO/YEJus

Score

10^/10

amadey persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	2436	rundll32.exe
12	1628	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2860	Dctooux.exe

Loads dropped DLL 19 IoCs

pid	Process
2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe
2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe
584	rundll32.exe
584	rundll32.exe
584	rundll32.exe
584	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
2860	Dctooux.exe
2436	rundll32.exe
2436	rundll32.exe
2436	rundll32.exe
2436	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe
1628	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\blyat.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005011\\blyat.dll, Main"	Dctooux.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 584 set thread context of 1608	584	rundll32.exe	44

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	1608	WerFault.exe	44

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2436	rundll32.exe
2436	rundll32.exe
2436	rundll32.exe
2436	rundll32.exe
2436	rundll32.exe
1232	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2860	2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe	28
PID 2780 wrote to memory of 2860	2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe	28
PID 2780 wrote to memory of 2860	2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe	28
PID 2780 wrote to memory of 2860	2780	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe	28
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 584	2860	Dctooux.exe	31
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 2860 wrote to memory of 1632	2860	Dctooux.exe	32
PID 1632 wrote to memory of 2436	1632	rundll32.exe	33
PID 1632 wrote to memory of 2436	1632	rundll32.exe	33
PID 1632 wrote to memory of 2436	1632	rundll32.exe	33
PID 1632 wrote to memory of 2436	1632	rundll32.exe	33
PID 2860 wrote to memory of 2668	2860	Dctooux.exe	34
PID 2860 wrote to memory of 2668	2860	Dctooux.exe	34
PID 2860 wrote to memory of 2668	2860	Dctooux.exe	34
PID 2860 wrote to memory of 2668	2860	Dctooux.exe	34
PID 2436 wrote to memory of 2680	2436	rundll32.exe	35
PID 2436 wrote to memory of 2680	2436	rundll32.exe	35
PID 2436 wrote to memory of 2680	2436	rundll32.exe	35
PID 2436 wrote to memory of 1232	2436	rundll32.exe	37
PID 2436 wrote to memory of 1232	2436	rundll32.exe	37
PID 2436 wrote to memory of 1232	2436	rundll32.exe	37
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 2860 wrote to memory of 1628	2860	Dctooux.exe	40
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 584 wrote to memory of 1608	584	rundll32.exe	44
PID 1608 wrote to memory of 2748	1608	rundll32.exe	45
PID 1608 wrote to memory of 2748	1608	rundll32.exe	45
PID 1608 wrote to memory of 2748	1608	rundll32.exe	45
PID 1608 wrote to memory of 2748	1608	rundll32.exe	45

C:\Users\Admin\AppData\Local\Temp\c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe
"C:\Users\Admin\AppData\Local\Temp\c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 208
        5⤵
        Program crash
        
        PID:2748
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\780967622241_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
- - C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
    "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

Filesize
2.3MB

MD5
cb253bf8a6859eadd30b4ceb66c6a588

SHA1
7e9383d51ec36a019b5884f79a2ac2c05b4049bd

SHA256
03d2efb0706bab18e7b594b985f20bd316d9e074dc3906ebefe7ab4baffe5722

SHA512
1291d53ee1e025889a6d2bb222eac940c4ba73ae22fd956cbc8c9e61fcc0f78c96a5277362750a5e168ab5a02b46d5d11defaca0956eae08ad546ec529a3e061

Download Submit
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Filesize
388KB

MD5
0de19cd17462ea79db1a5e5fd1d7f59f

SHA1
d2b313dcfbda9a04475fc01182336b52846bbe3b

SHA256
c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b

SHA512
0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\780967622241

Filesize
71KB

MD5
6d18603c05d87cb3d93c6dec9093e93d

SHA1
39d159a332debbc9b4dd2724720cd39c4209eca2

SHA256
4030c1e72975a3368adfcd2375a65e460129ab726d3c1b36e473f437d4964302

SHA512
1e996778d6b6601254991328c116b9694f2e78b28ea70e04cee1bb4cbe6ec2b903a32ec912f929564d6c0db469c40b72c11cfb553d0c1a0cbb572dc42f860bab

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

Filesize
109KB

MD5
ca684dc5ebed4381701a39f1cc3a0fb2

SHA1
8c4a375aa583bd1c705597a7f45fd18934276770

SHA256
b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

SHA512
8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
1.2MB

MD5
4876ee75ce2712147c41ff1277cd2d30

SHA1
3733dc92318f0c6b92cb201e49151686281acda6

SHA256
bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed

SHA512
9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

Download Submit
memory/584-100-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/584-101-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/584-82-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/584-81-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/584-99-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/584-106-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/584-103-0x0000000010000000-0x0000000010253000-memory.dmp

Filesize
2.3MB

Download
memory/1232-75-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1232-72-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1232-73-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/1232-74-0x000007FEF4D70000-0x000007FEF570D000-memory.dmp

Filesize
9.6MB

Download
memory/1232-76-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1232-77-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1232-78-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1232-79-0x000007FEF4D70000-0x000007FEF570D000-memory.dmp

Filesize
9.6MB

Download
memory/1608-102-0x0000000000110000-0x0000000000182000-memory.dmp

Filesize
456KB

Download
memory/1608-107-0x0000000000110000-0x0000000000182000-memory.dmp

Filesize
456KB

Download
memory/1608-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-109-0x0000000000110000-0x0000000000182000-memory.dmp

Filesize
456KB

Download
memory/1608-111-0x0000000000110000-0x0000000000182000-memory.dmp

Filesize
456KB

Download
memory/2780-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2780-5-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2780-19-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/2780-17-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2780-2-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/2780-18-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2780-3-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2860-71-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2860-33-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2860-83-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2860-22-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2860-21-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2860-97-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2860-130-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2860-136-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download