amadey | 7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

General

Target

2e0d574bf00170bb5a448510c2226408.exe
Size

1021KB
MD5

2e0d574bf00170bb5a448510c2226408
SHA1

05c599f0ffc3a7474a51ecbda9de51f8dce0ba62
SHA256

7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966
SHA512

7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.15

C2

185.215.113.49/fT5G42s/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

jmgas.exe

pid process

3900 jmgas.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe

description pid process target process

PID 3892 set thread context of 3580 3892 2e0d574bf00170bb5a448510c2226408.exe 2e0d574bf00170bb5a448510c2226408.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3900	jmgas.exe

description	pid	process	target process
PID 3892 set thread context of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

pid	process
3892	2e0d574bf00170bb5a448510c2226408.exe
3892	2e0d574bf00170bb5a448510c2226408.exe
3892	2e0d574bf00170bb5a448510c2226408.exe
1304	powershell.exe
1304	powershell.exe
1304	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3892 2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege 1304 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3892	2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege	1304	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe2e0d574bf00170bb5a448510c2226408.exe

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\ProgramData\c3a72be100\jmgas.exe
"C:\ProgramData\c3a72be100\jmgas.exe"
3⤵
- Executes dropped EXE
PID:3900

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
C:\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
memory/1304-149-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/1304-161-0x0000000009380000-0x00000000093B3000-memory.dmp

Filesize
204KB

Download
memory/1304-176-0x0000000006DE3000-0x0000000006DE4000-memory.dmp

Filesize
4KB

Download
memory/1304-175-0x000000007ECD0000-0x000000007ECD1000-memory.dmp

Filesize
4KB

Download
memory/1304-174-0x00000000096C0000-0x00000000096C1000-memory.dmp

Filesize
4KB

Download
memory/1304-173-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/1304-168-0x0000000009340000-0x0000000009341000-memory.dmp

Filesize
4KB

Download
memory/1304-141-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/1304-125-0x0000000000000000-mapping.dmp

Download
memory/1304-144-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/1304-153-0x00000000083D0000-0x00000000083D1000-memory.dmp

Filesize
4KB

Download
memory/1304-152-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/1304-151-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/1304-150-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/1304-133-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1304-135-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/1304-147-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1304-143-0x0000000006DE2000-0x0000000006DE3000-memory.dmp

Filesize
4KB

Download
memory/3580-127-0x000000000040F0BB-mapping.dmp

Download
memory/3580-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3580-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3892-123-0x00000000059B0000-0x0000000005A1E000-memory.dmp

Filesize
440KB

Download
memory/3892-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3892-117-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/3892-120-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3892-118-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3892-116-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3892-122-0x0000000004E40000-0x0000000004E4C000-memory.dmp

Filesize
48KB

Download
memory/3892-121-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3892-124-0x0000000007F10000-0x0000000007F47000-memory.dmp

Filesize
220KB

Download
memory/3892-119-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download
memory/3900-146-0x0000000004DA0000-0x000000000529E000-memory.dmp

Filesize
5.0MB

Download
memory/3900-130-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3892 wrote to memory of 1304	3892	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 3892 wrote to memory of 1304	3892	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 3892 wrote to memory of 1304	3892	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3892 wrote to memory of 3580	3892	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3580 wrote to memory of 3900	3580	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 3580 wrote to memory of 3900	3580	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 3580 wrote to memory of 3900	3580	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe

Analysis

Sharing