amadey | 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb

General

Target

b413ff6e943c415afc26640ff535c724.exe
Size

2.4MB
MD5

b413ff6e943c415afc26640ff535c724
SHA1

fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256

7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA512

ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815

Score

10^/10

amadey trojan

Family

amadey

Version

3.20

C2

happyday9risce.com/gg4mn3s/index.php

xksldjf9sksdjfks.com/gg4mn3s/index.php

dhisa8f9ah02hopasiaf.com/gg4mn3s/index.php

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

orxds.exe

pid process

2016 orxds.exe
Loads dropped DLL 1 IoCs

Processes:

AppLaunch.exe

pid process

932 AppLaunch.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

b413ff6e943c415afc26640ff535c724.exe

description pid process target process

PID 908 set thread context of 932 908 b413ff6e943c415afc26640ff535c724.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1160 908 WerFault.exe b413ff6e943c415afc26640ff535c724.exe

pid	process
2016	orxds.exe

pid	process
932	AppLaunch.exe

description	pid	process	target process
PID 908 set thread context of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe

pid	pid_target	process	target process
1160	908	WerFault.exe	b413ff6e943c415afc26640ff535c724.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b413ff6e943c415afc26640ff535c724.exeAppLaunch.exe

description	pid	process	target process
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 932	908	b413ff6e943c415afc26640ff535c724.exe	AppLaunch.exe
PID 908 wrote to memory of 1160	908	b413ff6e943c415afc26640ff535c724.exe	WerFault.exe
PID 908 wrote to memory of 1160	908	b413ff6e943c415afc26640ff535c724.exe	WerFault.exe
PID 908 wrote to memory of 1160	908	b413ff6e943c415afc26640ff535c724.exe	WerFault.exe
PID 908 wrote to memory of 1160	908	b413ff6e943c415afc26640ff535c724.exe	WerFault.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe
PID 932 wrote to memory of 2016	932	AppLaunch.exe	orxds.exe

C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
3⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 36
2⤵
- Program crash
PID:1160

C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
memory/908-72-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/932-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/932-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/932-63-0x00000000004133CC-mapping.dmp

Download
memory/932-64-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/932-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/932-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1160-67-0x0000000000000000-mapping.dmp

Download
memory/2016-69-0x0000000000000000-mapping.dmp

Download