amadey | e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

481KB
MD5

f9a4f6684d1bf48406a42921aebc1596
SHA1

c9186ff53de4724ede20c6485136b4b2072bb6a6
SHA256

e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042
SHA512

67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd
SSDEEP

12288:UHdftnB3Zp+52J9+62HHLhJ3er8XSwW0:UNz3ZwwJ9+7HFnXP

Score

10^/10

amadey cd33f9 credential_access discovery execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

cd33f9

http://193.176.158.185

Attributes

install_dir
fed0c9a4d3
install_file
Hkbsse.exe
strings_key
a2163aef710017f5548e7e730af53cca
url_paths
/B0kf3CbAbR/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2372	rundll32.exe
10	1640	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3004	Hkbsse.exe

Loads dropped DLL 14 IoCs

pid	Process
2140	file.exe
2140	file.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
1640	rundll32.exe
1640	rundll32.exe
1640	rundll32.exe
1640	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	file.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1996	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
800	netsh.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
1996	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	file.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3004	2140	file.exe	31
PID 2140 wrote to memory of 3004	2140	file.exe	31
PID 2140 wrote to memory of 3004	2140	file.exe	31
PID 2140 wrote to memory of 3004	2140	file.exe	31
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 3004 wrote to memory of 2000	3004	Hkbsse.exe	33
PID 2000 wrote to memory of 2372	2000	rundll32.exe	34
PID 2000 wrote to memory of 2372	2000	rundll32.exe	34
PID 2000 wrote to memory of 2372	2000	rundll32.exe	34
PID 2000 wrote to memory of 2372	2000	rundll32.exe	34
PID 2372 wrote to memory of 800	2372	rundll32.exe	35
PID 2372 wrote to memory of 800	2372	rundll32.exe	35
PID 2372 wrote to memory of 800	2372	rundll32.exe	35
PID 2372 wrote to memory of 1996	2372	rundll32.exe	37
PID 2372 wrote to memory of 1996	2372	rundll32.exe	37
PID 2372 wrote to memory of 1996	2372	rundll32.exe	37
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39
PID 3004 wrote to memory of 1640	3004	Hkbsse.exe	39

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe
  "C:\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1623b75a3df630\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1623b75a3df630\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\294248377141_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1623b75a3df630\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\294248377141

Filesize
51KB

MD5
018ebda768257ab5ab742690ef5d1a46

SHA1
3918677d27e62ae3f0b70689877cf31cde0fb5bd

SHA256
9cf9dd025c49da06adc3bd90afb8a5caa498839e47ad4ea06bee0451cfb2b5c0

SHA512
8de2ab8642b70ea12d1e9ba37cfa35d8ecb0f1f1468f3ad61e1af396b832951d3ab0714720a9d1956f4a5f87f2e28c9bf433a14921b0dcc0c9b5dd7fc3a04fa5

Download Submit
C:\Users\Admin\AppData\Roaming\1623b75a3df630\clip64.dll

Filesize
127KB

MD5
427f3072bdd451e710818c7bb747f48c

SHA1
548d89b6e63dddcb8e1a4bbc315ae7d51de99c9b

SHA256
382101ea8469e7d5d47a794359c2c3a33eb7f13cf3257a178ab083d0937dad47

SHA512
14f046cf86db4dfa2bd946c1951b261b0a94cac066f8941f463f319c667aa7b13f157648f3b00377780f67cdcb6db5d901d397ca125d4ae78390709c7b6419c0

Download Submit
C:\Users\Admin\AppData\Roaming\1623b75a3df630\cred64.dll

Filesize
1.2MB

MD5
4c3dae7199f99fae23325df41d16b097

SHA1
3e20881f65b43c4a802f674008e380d975687456

SHA256
fb7fe89ee4460053c3dc676e97aa1657670d9e41a22db9b7b354995a5c1d4382

SHA512
fcbd82a6308b9647d1859b855afe79da2a240abfe845d8ba00b4a56f9fc7d30ff408fb6c684985398fe41515fea81113749f37edfd7ba99c4deb7f6507f93e6d

Download Submit
\Users\Admin\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe

Filesize
481KB

MD5
f9a4f6684d1bf48406a42921aebc1596

SHA1
c9186ff53de4724ede20c6485136b4b2072bb6a6

SHA256
e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

SHA512
67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd

Download Submit
memory/1996-63-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1996-62-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2140-16-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download
memory/2140-19-0x0000000003FF0000-0x000000000405E000-memory.dmp

Filesize
440KB

Download
memory/2140-21-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download
memory/2140-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2140-18-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2140-2-0x0000000003FF0000-0x000000000405E000-memory.dmp

Filesize
440KB

Download
memory/2140-3-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2140-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/3004-33-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download
memory/3004-34-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download
memory/3004-69-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download
memory/3004-83-0x0000000000400000-0x0000000002860000-memory.dmp

Filesize
36.4MB

Download