Amadey stealer plugin adds Mikrotik and Outlook harvesting
By Jason Reaves
Published: 2021-07-08 · Archived: 2026-04-05 12:43:30 UTC
By: Jason Reaves and Harold Ogden
Press enter or click to view image in full size
Last year Zscaler[3] wrote an article detailing a new version of Amadey “a2020 Amadey” that came with two new
plugins ‘cred.dll’ and ‘scr.dll’. Recently, Amadey has been updated again to a new version “a2021 Amadey.” This
article aims to go over some interesting additions to their stealer plugin component.
Press enter or click to view image in full size
https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
Page 1 of 4

2021 Amadey Panel
With this new version comes some interesting additions to the ‘cred’ stealer plugin as they have added
functionality for harvesting Mikrotik router data and Outlook data:
Older versions of Mikrotiks Winbox[1] would give the option to export you data to a ‘WBX’ file which would
store the usernames and passwords for your managed devices unencrypted along with a Addresses.cdb file which
https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
Page 2 of 4

is also stored unecrypted. Freely available tools also exist to help parse these files[2] for recovering lost
credentials.
Another addition is the parsing of Outlook profiles from registry in order to harvest account data:
Press enter or click to view image in full size
Loaders such as Amadey continue to update their toolsets for selling on the underground and the addition of
Outlook account and Mikrotik account harvesting shouldn’t surprise anyone as both can be valuable data sets for
criminal activities.
https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
Page 3 of 4

IOCs
d860bd740863e9280761ad3162d4b135d7e8cac7a9aaf302a92496e3217beb95
b7eecf0ae1204a0301509d9dd1ad1a7329463ed5
fa07c8de6db23c1be2ee8da97c5621f7fc006469f84e2835195fc943de43d544
d8932ee7ff3b37f1f566dd70233aab7e8f388558
References
1:https://forum.mikrotik.com/viewtopic.php?t=111705
Get Jason Reaves’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
2:https://github.com/jabb3rd/RouterOS_Tools
3:https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat
Source: https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
Page 4 of 4

 https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4     
2021 Amadey Panel     
With this new version comes some interesting additions to the ‘cred’ stealer plugin as they have added
functionality for harvesting Mikrotik router data and Outlook data:   
Older versions of Mikrotiks Winbox[1] would give the option to export you data to a ‘WBX’ file which would
store the usernames and passwords for your managed devices unencrypted along with a Addresses.cdb file which
   Page 2 of 4