amadey | 2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000800000001235f-92.exe
Size

205KB
MD5

2425b77a718e305dc30869618074ac44
SHA1

49af371aad990f5d138dce055450061994d9a367
SHA256

2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364
SHA512

127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb
SSDEEP

3072:CXkSckkHbzG1iXAt60p0zuNmnKG7peNMQbuZAIOb2y3xfbT:8kSDAzG1iciuInRexuZAIKj

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.84

77.91.68.63/doma/net/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1184	rugen.exe
1332	rugen.exe
948	rugen.exe

Loads dropped DLL 5 IoCs

pid	Process
1212	0x000800000001235f-92.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe
1052	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1224	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1212	0x000800000001235f-92.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1184	1212	0x000800000001235f-92.exe	27
PID 1212 wrote to memory of 1184	1212	0x000800000001235f-92.exe	27
PID 1212 wrote to memory of 1184	1212	0x000800000001235f-92.exe	27
PID 1212 wrote to memory of 1184	1212	0x000800000001235f-92.exe	27
PID 1184 wrote to memory of 1224	1184	rugen.exe	28
PID 1184 wrote to memory of 1224	1184	rugen.exe	28
PID 1184 wrote to memory of 1224	1184	rugen.exe	28
PID 1184 wrote to memory of 1224	1184	rugen.exe	28
PID 1184 wrote to memory of 560	1184	rugen.exe	30
PID 1184 wrote to memory of 560	1184	rugen.exe	30
PID 1184 wrote to memory of 560	1184	rugen.exe	30
PID 1184 wrote to memory of 560	1184	rugen.exe	30
PID 560 wrote to memory of 1628	560	cmd.exe	32
PID 560 wrote to memory of 1628	560	cmd.exe	32
PID 560 wrote to memory of 1628	560	cmd.exe	32
PID 560 wrote to memory of 1628	560	cmd.exe	32
PID 560 wrote to memory of 1756	560	cmd.exe	33
PID 560 wrote to memory of 1756	560	cmd.exe	33
PID 560 wrote to memory of 1756	560	cmd.exe	33
PID 560 wrote to memory of 1756	560	cmd.exe	33
PID 560 wrote to memory of 1652	560	cmd.exe	34
PID 560 wrote to memory of 1652	560	cmd.exe	34
PID 560 wrote to memory of 1652	560	cmd.exe	34
PID 560 wrote to memory of 1652	560	cmd.exe	34
PID 560 wrote to memory of 692	560	cmd.exe	35
PID 560 wrote to memory of 692	560	cmd.exe	35
PID 560 wrote to memory of 692	560	cmd.exe	35
PID 560 wrote to memory of 692	560	cmd.exe	35
PID 560 wrote to memory of 600	560	cmd.exe	36
PID 560 wrote to memory of 600	560	cmd.exe	36
PID 560 wrote to memory of 600	560	cmd.exe	36
PID 560 wrote to memory of 600	560	cmd.exe	36
PID 560 wrote to memory of 1220	560	cmd.exe	37
PID 560 wrote to memory of 1220	560	cmd.exe	37
PID 560 wrote to memory of 1220	560	cmd.exe	37
PID 560 wrote to memory of 1220	560	cmd.exe	37
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1184 wrote to memory of 1052	1184	rugen.exe	40
PID 1064 wrote to memory of 1332	1064	taskeng.exe	42
PID 1064 wrote to memory of 1332	1064	taskeng.exe	42
PID 1064 wrote to memory of 1332	1064	taskeng.exe	42
PID 1064 wrote to memory of 1332	1064	taskeng.exe	42
PID 1064 wrote to memory of 948	1064	taskeng.exe	43
PID 1064 wrote to memory of 948	1064	taskeng.exe	43
PID 1064 wrote to memory of 948	1064	taskeng.exe	43
PID 1064 wrote to memory of 948	1064	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\0x000800000001235f-92.exe
"C:\Users\Admin\AppData\Local\Temp\0x000800000001235f-92.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rugen.exe" /P "Admin:N"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rugen.exe" /P "Admin:R" /E
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\200f691d32" /P "Admin:N"
      4⤵
      PID:600
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\200f691d32" /P "Admin:R" /E
      4⤵
      PID:1220
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {45B9DF93-E68C-41FE-AA0A-1254677C78BF} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  2⤵
  - Executes dropped EXE
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
2425b77a718e305dc30869618074ac44

SHA1
49af371aad990f5d138dce055450061994d9a367

SHA256
2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

SHA512
127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
2425b77a718e305dc30869618074ac44

SHA1
49af371aad990f5d138dce055450061994d9a367

SHA256
2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

SHA512
127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
2425b77a718e305dc30869618074ac44

SHA1
49af371aad990f5d138dce055450061994d9a367

SHA256
2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

SHA512
127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
2425b77a718e305dc30869618074ac44

SHA1
49af371aad990f5d138dce055450061994d9a367

SHA256
2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

SHA512
127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
2425b77a718e305dc30869618074ac44

SHA1
49af371aad990f5d138dce055450061994d9a367

SHA256
2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

SHA512
127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
2425b77a718e305dc30869618074ac44

SHA1
49af371aad990f5d138dce055450061994d9a367

SHA256
2a40373ae4688abc43698d24dc63b9f2a079cbb71a9bca4f90e23dd9be573364

SHA512
127c8747539ed9213cc4a1bb256f91371c349918be6abf9b02000c502901a0334a22edde6c6114e0e847d45a3ab6590d51d735ebe60086fd9d5f19ad6d3cabbb

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads