amadey | 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

General

Target

7b432411c12d3d0d31ecaf9011450e42.exe
Size

420KB
MD5

7b432411c12d3d0d31ecaf9011450e42
SHA1

968943d42ba1e8938989b6ed1884195c2285396f
SHA256

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
SHA512

6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
SSDEEP

6144:lfBwgfV+aXoGJR1xpppStlxu4qGilNZZDLxFLWj4+36o9:l3V+anFxZUq1NZJ9N8qu

Score

10^/10

amadey risepro spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

9 1180 rundll32.exe
12 2392 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Dctooux.exerisepro.exe

pid process

2604 Dctooux.exe
2832 risepro.exe

flow	pid	process
9	1180	rundll32.exe
12	2392	rundll32.exe

pid	process
2604	Dctooux.exe
2832	risepro.exe

Loads dropped DLL 17 IoCs

Processes:

7b432411c12d3d0d31ecaf9011450e42.exeDctooux.exerundll32.exerundll32.exerundll32.exe

pid	process
1540	7b432411c12d3d0d31ecaf9011450e42.exe
1540	7b432411c12d3d0d31ecaf9011450e42.exe
2604	Dctooux.exe
2604	Dctooux.exe
2604	Dctooux.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in Windows directory 1 IoCs

Processes:

7b432411c12d3d0d31ecaf9011450e42.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 7b432411c12d3d0d31ecaf9011450e42.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exepowershell.exe

pid process

1180 rundll32.exe
1180 rundll32.exe
1180 rundll32.exe
1180 rundll32.exe
1180 rundll32.exe
2008 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2008 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7b432411c12d3d0d31ecaf9011450e42.exe

pid process

1540 7b432411c12d3d0d31ecaf9011450e42.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	7b432411c12d3d0d31ecaf9011450e42.exe

pid	process
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
2008	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

7b432411c12d3d0d31ecaf9011450e42.exeDctooux.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1540 wrote to memory of 2604	1540	7b432411c12d3d0d31ecaf9011450e42.exe	Dctooux.exe
PID 1540 wrote to memory of 2604	1540	7b432411c12d3d0d31ecaf9011450e42.exe	Dctooux.exe
PID 1540 wrote to memory of 2604	1540	7b432411c12d3d0d31ecaf9011450e42.exe	Dctooux.exe
PID 1540 wrote to memory of 2604	1540	7b432411c12d3d0d31ecaf9011450e42.exe	Dctooux.exe
PID 2604 wrote to memory of 2884	2604	Dctooux.exe	Dctooux.exe
PID 2604 wrote to memory of 2884	2604	Dctooux.exe	Dctooux.exe
PID 2604 wrote to memory of 2884	2604	Dctooux.exe	Dctooux.exe
PID 2604 wrote to memory of 2884	2604	Dctooux.exe	Dctooux.exe
PID 2604 wrote to memory of 2832	2604	Dctooux.exe	risepro.exe
PID 2604 wrote to memory of 2832	2604	Dctooux.exe	risepro.exe
PID 2604 wrote to memory of 2832	2604	Dctooux.exe	risepro.exe
PID 2604 wrote to memory of 2832	2604	Dctooux.exe	risepro.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 1592	2604	Dctooux.exe	rundll32.exe
PID 1592 wrote to memory of 1180	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1180	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1180	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1180	1592	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 2864	1180	rundll32.exe	netsh.exe
PID 1180 wrote to memory of 2864	1180	rundll32.exe	netsh.exe
PID 1180 wrote to memory of 2864	1180	rundll32.exe	netsh.exe
PID 1180 wrote to memory of 2008	1180	rundll32.exe	powershell.exe
PID 1180 wrote to memory of 2008	1180	rundll32.exe	powershell.exe
PID 1180 wrote to memory of 2008	1180	rundll32.exe	powershell.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe
PID 2604 wrote to memory of 2392	2604	Dctooux.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7b432411c12d3d0d31ecaf9011450e42.exe
"C:\Users\Admin\AppData\Local\Temp\7b432411c12d3d0d31ecaf9011450e42.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
    "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
    3⤵
    PID:2884
- - C:\Users\Admin\AppData\Roaming\1000065000\risepro.exe
    "C:\Users\Admin\AppData\Roaming\1000065000\risepro.exe"
    3⤵
    - Executes dropped EXE
    PID:2832
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\309405411416_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Filesize
64KB

MD5
fea7c53f7c744c6334967baaf0a06456

SHA1
09b67d1004625c4eb3a164cdcf9e726b3d7d1272

SHA256
00ecc968ba2a942bcb02d61162cd763b62352fd2b7b23dbe16ecf9de31936622

SHA512
d3570947de312af3ec095212a1b990025b98c0d074cdc04c666302160aae252f2f1f324f668fd3846330267b16973cc6a9cdc708fd9b3b330210ef8098cf9d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Filesize
420KB

MD5
7b432411c12d3d0d31ecaf9011450e42

SHA1
968943d42ba1e8938989b6ed1884195c2285396f

SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b

Download Submit
C:\Users\Admin\AppData\Local\Temp\309405411416

Filesize
65KB

MD5
e25f9348f0b7aa5298671c7a1aaef4a1

SHA1
ac5d0f13974c0d9bf6ac29a5e2d13c3d1decfd72

SHA256
bd5ee04123e7326c4c0b68d7693b705dc4d442a53f017a0e0874309865790d1b

SHA512
dff4378893b682f48e8032359a0f5086c7864842cb602f48d5438145f760f1264eecbd5b063f97973bba20b38cf49a3ab849677b83c0baef48082e68f0a4485a

Download Submit
C:\Users\Admin\AppData\Roaming\1000065000\risepro.exe

Filesize
855KB

MD5
b9f7dc70d95e29e1859b77354a7028d0

SHA1
263d3729b26e43ac270aa5aaf57e25096a945b66

SHA256
b23701e1ea1f053cec61ef613e672f707500644b598e945c6b56fa60bea0cca2

SHA512
b51e8f644160b7082db3491cf3f9e7f0c5cf6c226441ddda0c22591ff54a2425cc9e683dcd27a299799123eede59e945e7683cd0069fa682a508adfadfe90f14

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

Filesize
109KB

MD5
ca684dc5ebed4381701a39f1cc3a0fb2

SHA1
8c4a375aa583bd1c705597a7f45fd18934276770

SHA256
b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

SHA512
8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
1.2MB

MD5
4876ee75ce2712147c41ff1277cd2d30

SHA1
3733dc92318f0c6b92cb201e49151686281acda6

SHA256
bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed

SHA512
9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

Download Submit
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Filesize
126KB

MD5
6a3105e04d50ffa3cd69b173f7d26625

SHA1
b5b7e44efc1053bf8f104aa2aa4760a128663b74

SHA256
a8b94cadfa4891d5e162b2b8c531de75cce800d732e93a9b42684dea1e9c2a2f

SHA512
41e3edbd7d3794e6b6f058b4bd871b91c9c5d38aad596957f302cfaee2de0665110c90268a11a9a3d84e496e26a34806f76ce3ba3982aa62de60d765b3bad950

Download Submit
memory/1540-17-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/1540-19-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1540-2-0x0000000002240000-0x00000000022AF000-memory.dmp

Filesize
444KB

Download
memory/1540-5-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1540-3-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/1540-1-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2008-81-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-85-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2008-87-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-84-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2008-83-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2008-82-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2008-79-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2008-80-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2604-21-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2604-55-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2604-86-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2604-89-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2604-20-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2604-105-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2832-46-0x0000000000220000-0x00000000002C7000-memory.dmp

Filesize
668KB

Download
memory/2832-54-0x0000000000400000-0x0000000000B7E000-memory.dmp

Filesize
7.5MB

Download
memory/2832-48-0x00000000024C0000-0x0000000002601000-memory.dmp

Filesize
1.3MB

Download
memory/2832-47-0x0000000000220000-0x00000000002C7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing