amadey | 462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

General

Target

ed4e77ea9305aeae3b545735358b6d1b.exe
Size

345KB
MD5

ed4e77ea9305aeae3b545735358b6d1b
SHA1

5aadcc89f95baf1452776f3b6a87cd2fbc89bd30
SHA256

462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6
SHA512

4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.14

C2

cdn12-web-security.com/gf4EdsW/index.php

shegw583reg.hopto.org/gf4EdsW/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 2 IoCs

Processes:

brdm.exebrdm.exe

pid process

692 brdm.exe
1460 brdm.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

pid process

2536 ed4e77ea9305aeae3b545735358b6d1b.exe
2536 ed4e77ea9305aeae3b545735358b6d1b.exe
1460 brdm.exe
1460 brdm.exe

pid	process
692	brdm.exe
1460	brdm.exe

pid	process
2536	ed4e77ea9305aeae3b545735358b6d1b.exe
2536	ed4e77ea9305aeae3b545735358b6d1b.exe
1460	brdm.exe
1460	brdm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

description	pid	process	target process
PID 496 set thread context of 2536	496	ed4e77ea9305aeae3b545735358b6d1b.exe	ed4e77ea9305aeae3b545735358b6d1b.exe
PID 692 set thread context of 1460	692	brdm.exe	brdm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

pid process

496 ed4e77ea9305aeae3b545735358b6d1b.exe
692 brdm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

pid process

496 ed4e77ea9305aeae3b545735358b6d1b.exe
692 brdm.exe

pid	process
496	ed4e77ea9305aeae3b545735358b6d1b.exe
692	brdm.exe

pid	process
496	ed4e77ea9305aeae3b545735358b6d1b.exe
692	brdm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exebrdm.exebrdm.execmd.exe

description	pid	process	target process
PID 496 wrote to memory of 2536	496	ed4e77ea9305aeae3b545735358b6d1b.exe	ed4e77ea9305aeae3b545735358b6d1b.exe
PID 496 wrote to memory of 2536	496	ed4e77ea9305aeae3b545735358b6d1b.exe	ed4e77ea9305aeae3b545735358b6d1b.exe
PID 496 wrote to memory of 2536	496	ed4e77ea9305aeae3b545735358b6d1b.exe	ed4e77ea9305aeae3b545735358b6d1b.exe
PID 496 wrote to memory of 2536	496	ed4e77ea9305aeae3b545735358b6d1b.exe	ed4e77ea9305aeae3b545735358b6d1b.exe
PID 2536 wrote to memory of 692	2536	ed4e77ea9305aeae3b545735358b6d1b.exe	brdm.exe
PID 2536 wrote to memory of 692	2536	ed4e77ea9305aeae3b545735358b6d1b.exe	brdm.exe
PID 2536 wrote to memory of 692	2536	ed4e77ea9305aeae3b545735358b6d1b.exe	brdm.exe
PID 692 wrote to memory of 1460	692	brdm.exe	brdm.exe
PID 692 wrote to memory of 1460	692	brdm.exe	brdm.exe
PID 692 wrote to memory of 1460	692	brdm.exe	brdm.exe
PID 692 wrote to memory of 1460	692	brdm.exe	brdm.exe
PID 1460 wrote to memory of 4008	1460	brdm.exe	cmd.exe
PID 1460 wrote to memory of 4008	1460	brdm.exe	cmd.exe
PID 1460 wrote to memory of 4008	1460	brdm.exe	cmd.exe
PID 4008 wrote to memory of 3128	4008	cmd.exe	reg.exe
PID 4008 wrote to memory of 3128	4008	cmd.exe	reg.exe
PID 4008 wrote to memory of 3128	4008	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe
"C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe
"C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2536

C:\ProgramData\04bbb7d123\brdm.exe
"C:\ProgramData\04bbb7d123\brdm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692

C:\ProgramData\04bbb7d123\brdm.exe
"C:\ProgramData\04bbb7d123\brdm.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\04bbb7d123\
5⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\04bbb7d123\
6⤵
PID:3128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\04bbb7d123\brdm.exe
MD5
ed4e77ea9305aeae3b545735358b6d1b

SHA1
5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

SHA256
462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

SHA512
4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

Download Submit
C:\ProgramData\04bbb7d123\brdm.exe
MD5
ed4e77ea9305aeae3b545735358b6d1b

SHA1
5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

SHA256
462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

SHA512
4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

Download Submit
C:\ProgramData\04bbb7d123\brdm.exe
MD5
ed4e77ea9305aeae3b545735358b6d1b

SHA1
5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

SHA256
462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

SHA512
4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

Download Submit
C:\ProgramData\152119853632563005190890
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/496-116-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/496-118-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/692-121-0x0000000000000000-mapping.dmp

Download
memory/692-126-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1460-134-0x0000000000440000-0x000000000058A000-memory.dmp

Filesize
1.3MB

Download
memory/1460-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1460-127-0x000000000040F4EB-mapping.dmp

Download
memory/2536-120-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2536-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-117-0x000000000040F4EB-mapping.dmp

Download
memory/3128-131-0x0000000000000000-mapping.dmp

Download
memory/4008-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing