amadey | b9fa703b80c7d124148f64ae3474f1f2b01a42cd1ed6871be2bb6c9d15ecf871

Analysis

max time kernel
121s
max time network
136s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19-03-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fa703b80c7d124148f64ae3474f1f2b01a42cd1ed6871be2bb6c9d15ecf871.dll
Size

126KB
MD5

a81511e199a9aa34da15d12c2f294b2c
SHA1

0f9006d8f09e91bbd459b8254dd945e4fbae25d9
SHA256

b9fa703b80c7d124148f64ae3474f1f2b01a42cd1ed6871be2bb6c9d15ecf871
SHA512

98e56b9f4a09b423432cd9c03110109f872dedef7bb29d7bb0cc5cd8827c5f67b8385dc9ca5faa4c23ae28dd3b1c87d977bd3b4e09eeb363c6f1d245a5e59707
SSDEEP

3072:Yx7pOYzBek+3tiINwyP7XSSJds3zhrjPcnq4Lv469:Yx7ZNh+3vwyOztPcrL

Score

10^/10

amadey collection cred module spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 1 IoCs

cred module

resource	yara_rule
behavioral2/memory/3768-0-0x0000000000400000-0x0000000000424000-memory.dmp	amadey_cred_module

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2188	3768	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe
3768	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3768	4500	rundll32.exe	77
PID 4500 wrote to memory of 3768	4500	rundll32.exe	77
PID 4500 wrote to memory of 3768	4500	rundll32.exe	77

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9fa703b80c7d124148f64ae3474f1f2b01a42cd1ed6871be2bb6c9d15ecf871.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9fa703b80c7d124148f64ae3474f1f2b01a42cd1ed6871be2bb6c9d15ecf871.dll,#1
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - outlook_win_path
  PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 716
    3⤵
    - Program crash
    PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3768 -ip 3768
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3768-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download