amadey | 7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

General

Target

2e0d574bf00170bb5a448510c2226408.exe
Size

1021KB
MD5

2e0d574bf00170bb5a448510c2226408
SHA1

05c599f0ffc3a7474a51ecbda9de51f8dce0ba62
SHA256

7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966
SHA512

7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.15

C2

185.215.113.49/fT5G42s/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

jmgas.exe

pid process

796 jmgas.exe
Loads dropped DLL 1 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe

pid process

1888 2e0d574bf00170bb5a448510c2226408.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe

description pid process target process

PID 1948 set thread context of 1888 1948 2e0d574bf00170bb5a448510c2226408.exe 2e0d574bf00170bb5a448510c2226408.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

pid process

1948 2e0d574bf00170bb5a448510c2226408.exe
1948 2e0d574bf00170bb5a448510c2226408.exe
1000 powershell.exe
1000 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1948 2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege 1000 powershell.exe

pid	process
796	jmgas.exe

pid	process
1888	2e0d574bf00170bb5a448510c2226408.exe

description	pid	process	target process
PID 1948 set thread context of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe

pid	process
1948	2e0d574bf00170bb5a448510c2226408.exe
1948	2e0d574bf00170bb5a448510c2226408.exe
1000	powershell.exe
1000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe2e0d574bf00170bb5a448510c2226408.exe

description	pid	process	target process
PID 1948 wrote to memory of 1000	1948	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1948 wrote to memory of 1000	1948	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1948 wrote to memory of 1000	1948	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1948 wrote to memory of 1000	1948	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1948 wrote to memory of 1888	1948	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 1888 wrote to memory of 796	1888	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 1888 wrote to memory of 796	1888	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 1888 wrote to memory of 796	1888	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 1888 wrote to memory of 796	1888	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888

C:\ProgramData\c3a72be100\jmgas.exe
"C:\ProgramData\c3a72be100\jmgas.exe"
3⤵
- Executes dropped EXE
PID:796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
C:\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
memory/796-81-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/796-76-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/796-73-0x0000000000000000-mapping.dmp

Download
memory/1000-85-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1000-88-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1000-118-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1000-117-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1000-103-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1000-66-0x0000000000000000-mapping.dmp

Download
memory/1000-102-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1000-101-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1000-94-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1000-79-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1000-80-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1000-82-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1000-93-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1000-83-0x0000000004832000-0x0000000004833000-memory.dmp

Filesize
4KB

Download
memory/1000-84-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1888-68-0x000000000040F0BB-mapping.dmp

Download
memory/1888-67-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-69-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1948-60-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1948-62-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1948-63-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/1948-64-0x0000000000E70000-0x0000000000EDE000-memory.dmp

Filesize
440KB

Download
memory/1948-65-0x0000000000C10000-0x0000000000C47000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing