amadey | 983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26

General

Target

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
Size

21KB
MD5

d5d6d152edeeb1a13020514aceaad436
SHA1

1909b7fd2f20c4c2e4ecd8c186863f0ca90867d9
SHA256

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26
SHA512

1e398c67483e9cab11e99af590c59274d5f6c23c5a69c88a019052074890b69c8148728fd880ecd7f91ad53f310a061b86154d985948ccc12f33640a0f23b6d0

Score

10^/10

amadey suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

C2

190.123.44.138/Qbv2ff03/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata

Drops startup file 2 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description	pid	process	target process
PID 2036 set thread context of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

pid	process
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description pid process

Token: SeDebugPrivilege 2036 983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description	pid	process
Token: SeDebugPrivilege	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
"C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
"C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe"
2⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
"C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe"
2⤵
PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-70-0x000000000041344C-mapping.dmp

Download
memory/1496-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-54-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2036-55-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/2036-58-0x0000000004620000-0x0000000004628000-memory.dmp

Filesize
32KB

Download
memory/2036-57-0x0000000000A80000-0x0000000000AC4000-memory.dmp

Filesize
272KB

Download
memory/2036-56-0x00000000009A5000-0x00000000009B6000-memory.dmp

Filesize
68KB

Download

description	pid	process	target process
PID 2036 wrote to memory of 320	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 320	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 320	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 320	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 2036 wrote to memory of 1496	2036	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads