amadey | 7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb

Analysis

max time kernel
104s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29-05-2022 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b413ff6e943c415afc26640ff535c724.exe
Size

2.4MB
MD5

b413ff6e943c415afc26640ff535c724
SHA1

fcc13d52bf28416f3b8a594d58113fd8828a4093
SHA256

7ff0ff6e51a58398ad73da3cc8e7e6233a23e49d93aaa4b190672e4f9f08b9bb
SHA512

ca5ac0fc7aa0ed1a615ccd628b8b97b3d83b31e0da58b9d9e23e4e9f97bfa598920119e8afbbdac6e97c994e8739651083fd1afe69384d25a1fd6bc4702ce815

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.20

happyday9risce.com/gg4mn3s/index.php

xksldjf9sksdjfks.com/gg4mn3s/index.php

dhisa8f9ah02hopasiaf.com/gg4mn3s/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
4616	orxds.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 3468	3280	b413ff6e943c415afc26640ff535c724.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4760	3280	WerFault.exe	79

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3468	3280	b413ff6e943c415afc26640ff535c724.exe	82
PID 3280 wrote to memory of 3468	3280	b413ff6e943c415afc26640ff535c724.exe	82
PID 3280 wrote to memory of 3468	3280	b413ff6e943c415afc26640ff535c724.exe	82
PID 3280 wrote to memory of 3468	3280	b413ff6e943c415afc26640ff535c724.exe	82
PID 3280 wrote to memory of 3468	3280	b413ff6e943c415afc26640ff535c724.exe	82
PID 3468 wrote to memory of 4616	3468	AppLaunch.exe	86
PID 3468 wrote to memory of 4616	3468	AppLaunch.exe	86
PID 3468 wrote to memory of 4616	3468	AppLaunch.exe	86

C:\Users\Admin\AppData\Local\Temp\b413ff6e943c415afc26640ff535c724.exe
"C:\Users\Admin\AppData\Local\Temp\b413ff6e943c415afc26640ff535c724.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
    "C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
    3⤵
    - Executes dropped EXE
    PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 148
  2⤵
  - Program crash
  PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3280 -ip 3280
1⤵
PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
memory/3280-139-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/3468-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-138-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download