amadey | 52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
Size

1.8MB
MD5

33f3040b744a6d2a175866104e3953e4
SHA1

5263310e8e4fe7984ca29d9a06accd0d237c208c
SHA256

52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e
SHA512

9ae372be827fad0e7a32623b313e9126533e353b319af546b140f2d58617c369b3c0c7054aa3ea8f58face66c8a036960618cfd68b0f897f88e5507eb93f9e82
SSDEEP

24576:XWhAat7ZeOLYOKxBMfRR3JPf77cJCCDQzIP2LBq4rHsq6N53:GhAa5YfuR3N/4DmIPSBXrMq6b3

Score

10^/10

amadey 0163e2 credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0163e2

http://185.215.113.101

Attributes

install_dir
e15c790a46
install_file
Hkbsse.exe
strings_key
0727c27c867fbf8087d1e795f4f7c249
url_paths
/g99kdj4vsA/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 3 IoCs

pid	Process
3904	Hkbsse.exe
3000	Hkbsse.exe
2884	Hkbsse.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3580 set thread context of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 set thread context of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3996 set thread context of 1624	3996	AddInProcess32.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
3996	AddInProcess32.exe
3996	AddInProcess32.exe
3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
1624	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
Token: SeDebugPrivilege	3996	AddInProcess32.exe
Token: SeDebugPrivilege	1624	InstallUtil.exe
Token: SeBackupPrivilege	1624	InstallUtil.exe
Token: SeSecurityPrivilege	1624	InstallUtil.exe
Token: SeSecurityPrivilege	1624	InstallUtil.exe
Token: SeSecurityPrivilege	1624	InstallUtil.exe
Token: SeSecurityPrivilege	1624	InstallUtil.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 3996	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	93
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4292	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	99
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3580 wrote to memory of 4744	3580	52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe	100
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 3996 wrote to memory of 1624	3996	AddInProcess32.exe	101
PID 4744 wrote to memory of 3904	4744	AddInProcess32.exe	104
PID 4744 wrote to memory of 3904	4744	AddInProcess32.exe	104
PID 4744 wrote to memory of 3904	4744	AddInProcess32.exe	104

C:\Users\Admin\AppData\Local\Temp\52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe
"C:\Users\Admin\AppData\Local\Temp\52774cf618d18843fc617ea6e340a5fb1e36559d6c0c372c6c5214ab1fb6e34e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:4292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3904

C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000

C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hkbsse.exe.log

Filesize
411B

MD5
11bf8baec939519fc233f581b0853250

SHA1
fd6be3ec5a12cec16ef87f35e69134bfa522386a

SHA256
aa367951f76ca413307e745f97640321a46d8d6c20cf27ffb7a259481b576f88

SHA512
e06fbd6bf555460dca2b876f44806abbdb8a5d82a92464854cb03f081ac0421ea2803c8caf3f1755494e218eb0b6ef68368da736b2323df9c9dcbd45984e8172

Download Submit
C:\Users\Admin\AppData\Local\Temp\e15c790a46\Hkbsse.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/1624-51-0x0000000009250000-0x00000000092B6000-memory.dmp

Filesize
408KB

Download
memory/1624-54-0x000000000A260000-0x000000000A422000-memory.dmp

Filesize
1.8MB

Download
memory/1624-53-0x0000000009500000-0x000000000951E000-memory.dmp

Filesize
120KB

Download
memory/1624-52-0x0000000009540000-0x00000000095B6000-memory.dmp

Filesize
472KB

Download
memory/1624-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1624-50-0x0000000008640000-0x000000000868C000-memory.dmp

Filesize
304KB

Download
memory/1624-49-0x00000000084E0000-0x000000000851C000-memory.dmp

Filesize
240KB

Download
memory/1624-48-0x0000000008480000-0x0000000008492000-memory.dmp

Filesize
72KB

Download
memory/1624-47-0x0000000008530000-0x000000000863A000-memory.dmp

Filesize
1.0MB

Download
memory/1624-46-0x00000000089C0000-0x0000000008FD8000-memory.dmp

Filesize
6.1MB

Download
memory/1624-55-0x000000000A960000-0x000000000AE8C000-memory.dmp

Filesize
5.2MB

Download
memory/3580-10-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/3580-6-0x0000000005530000-0x0000000005574000-memory.dmp

Filesize
272KB

Download
memory/3580-1-0x0000000000AC0000-0x0000000000C8A000-memory.dmp

Filesize
1.8MB

Download
memory/3580-2-0x0000000005350000-0x00000000053EC000-memory.dmp

Filesize
624KB

Download
memory/3580-3-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/3580-18-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3580-4-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/3580-14-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3580-5-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3580-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/3580-24-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3580-7-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/3580-8-0x0000000006A70000-0x0000000006A8A000-memory.dmp

Filesize
104KB

Download
memory/3580-9-0x0000000006A90000-0x0000000006A96000-memory.dmp

Filesize
24KB

Download
memory/3580-11-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3904-43-0x0000000005170000-0x000000000519A000-memory.dmp

Filesize
168KB

Download
memory/3904-44-0x0000000005200000-0x0000000005256000-memory.dmp

Filesize
344KB

Download
memory/3904-42-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/3996-20-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3996-38-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3996-12-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3996-13-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/3996-19-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3996-17-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3996-16-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3996-15-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/4744-23-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4744-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download