amadey | 4d02224a7dadfc2d8a1343fdc51e4634a98bd073f867bfd091e667efd112108a

Resubmissions

12-08-2024 14:48

240812-r6r9eawbmm 10

13-04-2022 03:36

220413-d51x9safek 10

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20220331-en
submitted
13-04-2022 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amadey.exe
Size

6.7MB
MD5

fc33eb2d1bc5bddd539a2d498a758b93
SHA1

c2daa51655e86088bb554e89e047667f60af822f
SHA256

4d02224a7dadfc2d8a1343fdc51e4634a98bd073f867bfd091e667efd112108a
SHA512

ea0da825962b2c4beb67ce7bf54ee4139e47b4b756cc474eea06eb856e75d6b6b98133e8d9e3ebd9508c3fbdb47cc5da62eb81a1206fd3383b0673508e098656

Score

10^/10

amadey babadeda crypter loader trojan

Malware Config

Extracted

Family

amadey

Version

2.42

185.215.113.53/bPwsAq2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000126e3-61.dat	family_babadeda

Executes dropped EXE 1 IoCs

pid	Process
1928	RAMhelper.exe

Loads dropped DLL 3 IoCs

pid	Process
1032	amadey.exe
1032	amadey.exe
1928	RAMhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1928	1032	amadey.exe	28
PID 1032 wrote to memory of 1928	1032	amadey.exe	28
PID 1032 wrote to memory of 1928	1032	amadey.exe	28
PID 1032 wrote to memory of 1928	1032	amadey.exe	28

C:\Users\Admin\AppData\Local\Temp\amadey.exe
"C:\Users\Admin\AppData\Local\Temp\amadey.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe
  "C:\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe

Filesize
4.9MB

MD5
0c8e3d8fbcb0d3fc59ed18c2a231893c

SHA1
4361b91bd9d25b196e3b5b83aee3e8b5b9145a12

SHA256
a6d5ff8173995ddad0defd205c64babdd8254154a82b6790c8363fdc57631f0b

SHA512
601fdaeb83bac979069f97197d3599b11778c93a325242a4507210c220fb16dbbb51ce9d75d29f60041121aa166d4ef7605a7dbc25a98f7afb61189643756956

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\cds.xml

Filesize
417KB

MD5
5c99876abd68dbfb64fe6ee6a5aed894

SHA1
9410d3395d073379ad64c7d338c6c5366b39437a

SHA256
80cd89d38d02a4c48d9fac6b5a57212c6acd9326e00c894050ad4963a6dd55ca

SHA512
114bd9f1dce27298105020015d1c95aa2a923b63194b7405a9c3aa6c533156ee0ac248e4b4bfee1ef14f1fa1c44a77ced70a3bc2959b348a4a391a1a23d080dc

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\swresample-1.dll

Filesize
3.8MB

MD5
203e85bccd9206d76dbc476d8e04155f

SHA1
d0bf7c602b44768adaddea9142315232c34fb684

SHA256
04c5d73baa33bc3a63d5081c171dec0662af22eb08591997e708de37a26a2ba0

SHA512
0d17edd1cbeb277aee2e3f9cf043e789ef442606051452aae2f9590a3bb7d64b4e8f414bf905c6244f9fb34514337c333eb7baca247c44ecff4a92470769b7c8

Download Submit
\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe

Filesize
4.9MB

MD5
0c8e3d8fbcb0d3fc59ed18c2a231893c

SHA1
4361b91bd9d25b196e3b5b83aee3e8b5b9145a12

SHA256
a6d5ff8173995ddad0defd205c64babdd8254154a82b6790c8363fdc57631f0b

SHA512
601fdaeb83bac979069f97197d3599b11778c93a325242a4507210c220fb16dbbb51ce9d75d29f60041121aa166d4ef7605a7dbc25a98f7afb61189643756956

Download Submit
\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe

Filesize
4.9MB

MD5
0c8e3d8fbcb0d3fc59ed18c2a231893c

SHA1
4361b91bd9d25b196e3b5b83aee3e8b5b9145a12

SHA256
a6d5ff8173995ddad0defd205c64babdd8254154a82b6790c8363fdc57631f0b

SHA512
601fdaeb83bac979069f97197d3599b11778c93a325242a4507210c220fb16dbbb51ce9d75d29f60041121aa166d4ef7605a7dbc25a98f7afb61189643756956

Download Submit
\Users\Admin\AppData\Roaming\mXparser2\swresample-1.dll

Filesize
3.8MB

MD5
203e85bccd9206d76dbc476d8e04155f

SHA1
d0bf7c602b44768adaddea9142315232c34fb684

SHA256
04c5d73baa33bc3a63d5081c171dec0662af22eb08591997e708de37a26a2ba0

SHA512
0d17edd1cbeb277aee2e3f9cf043e789ef442606051452aae2f9590a3bb7d64b4e8f414bf905c6244f9fb34514337c333eb7baca247c44ecff4a92470769b7c8

Download Submit
memory/1032-54-0x0000000075181000-0x0000000075183000-memory.dmp

Filesize
8KB

Download
memory/1928-63-0x0000000000D90000-0x000000000127B000-memory.dmp

Filesize
4.9MB

Download