amadey | 1de852bd90636a3d75a91ce249d5ae4a777d04064847e404295ac0bb647b4687

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

amadey_v2.exe
Size

188KB
MD5

361cad979b8efd8a32647efef5ea08b3
SHA1

bdcde6402e9b7d6ea3ba7def710c5f68c4bbab46
SHA256

1de852bd90636a3d75a91ce249d5ae4a777d04064847e404295ac0bb647b4687
SHA512

fa77906df9c98308feffbb0d12b228fb13341a1253bb90b82248a34c04eb5c81b3dfbc9724514ed8b1226e1a89c07ad07dfd8f08758c2ae423fc124e92c1275c
SSDEEP

3072:+QCFPNk72p7iLtBX6XNs8Bt747erjuKGZqpRMWZBQAMbmn:+QCFPtp7i5BKXnP7puKGWoe

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.08

45.155.205.65/b1a5gkSc2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	amadey_v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	rween.exe

Executes dropped EXE 1 IoCs

pid	Process
1572	rween.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1572	4560	amadey_v2.exe	84
PID 4560 wrote to memory of 1572	4560	amadey_v2.exe	84
PID 4560 wrote to memory of 1572	4560	amadey_v2.exe	84
PID 1572 wrote to memory of 3592	1572	rween.exe	85
PID 1572 wrote to memory of 3592	1572	rween.exe	85
PID 1572 wrote to memory of 3592	1572	rween.exe	85
PID 3592 wrote to memory of 4064	3592	cmd.exe	87
PID 3592 wrote to memory of 4064	3592	cmd.exe	87
PID 3592 wrote to memory of 4064	3592	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\amadey_v2.exe
"C:\Users\Admin\AppData\Local\Temp\amadey_v2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4560
- C:\ProgramData\5caba47efa\rween.exe
  "C:\ProgramData\5caba47efa\rween.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\5caba47efa\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\5caba47efa\
      4⤵
      PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5caba47efa\rween.exe

Filesize
188KB

MD5
361cad979b8efd8a32647efef5ea08b3

SHA1
bdcde6402e9b7d6ea3ba7def710c5f68c4bbab46

SHA256
1de852bd90636a3d75a91ce249d5ae4a777d04064847e404295ac0bb647b4687

SHA512
fa77906df9c98308feffbb0d12b228fb13341a1253bb90b82248a34c04eb5c81b3dfbc9724514ed8b1226e1a89c07ad07dfd8f08758c2ae423fc124e92c1275c

Download Submit
C:\ProgramData\5caba47efa\rween.exe

Filesize
188KB

MD5
361cad979b8efd8a32647efef5ea08b3

SHA1
bdcde6402e9b7d6ea3ba7def710c5f68c4bbab46

SHA256
1de852bd90636a3d75a91ce249d5ae4a777d04064847e404295ac0bb647b4687

SHA512
fa77906df9c98308feffbb0d12b228fb13341a1253bb90b82248a34c04eb5c81b3dfbc9724514ed8b1226e1a89c07ad07dfd8f08758c2ae423fc124e92c1275c

Download Submit
C:\ProgramData\5caba47efa\rween.exe

Filesize
188KB

MD5
361cad979b8efd8a32647efef5ea08b3

SHA1
bdcde6402e9b7d6ea3ba7def710c5f68c4bbab46

SHA256
1de852bd90636a3d75a91ce249d5ae4a777d04064847e404295ac0bb647b4687

SHA512
fa77906df9c98308feffbb0d12b228fb13341a1253bb90b82248a34c04eb5c81b3dfbc9724514ed8b1226e1a89c07ad07dfd8f08758c2ae423fc124e92c1275c

Download Submit