amadey | 2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

General

Target

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
Size

5.0MB
MD5

890e29d78179dc4611286b863c50df53
SHA1

7bee367b02f66898b9ffb0f2569ca79c04edc19a
SHA256

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734
SHA512

3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08
SSDEEP

98304:I95KeVzJFLYDAQlsumF2SEGKhq1v/28fV4AAc0cq9FcFzUkKm:ArQm2FGKq28tIbWzSm

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.80

C2

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 3 IoCs

pid	Process
3768	oneetx.exe
2696	oneetx.exe
2152	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4124	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
4124	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
3768	oneetx.exe
3768	oneetx.exe
2696	oneetx.exe
2696	oneetx.exe
2152	oneetx.exe
2152	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4124	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3768	4124	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	84
PID 4124 wrote to memory of 3768	4124	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	84
PID 4124 wrote to memory of 3768	4124	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	84
PID 3768 wrote to memory of 3124	3768	oneetx.exe	85
PID 3768 wrote to memory of 3124	3768	oneetx.exe	85
PID 3768 wrote to memory of 3124	3768	oneetx.exe	85
PID 3768 wrote to memory of 4580	3768	oneetx.exe	87
PID 3768 wrote to memory of 4580	3768	oneetx.exe	87
PID 3768 wrote to memory of 4580	3768	oneetx.exe	87
PID 4580 wrote to memory of 2896	4580	cmd.exe	89
PID 4580 wrote to memory of 2896	4580	cmd.exe	89
PID 4580 wrote to memory of 2896	4580	cmd.exe	89
PID 4580 wrote to memory of 5116	4580	cmd.exe	90
PID 4580 wrote to memory of 5116	4580	cmd.exe	90
PID 4580 wrote to memory of 5116	4580	cmd.exe	90
PID 4580 wrote to memory of 3872	4580	cmd.exe	91
PID 4580 wrote to memory of 3872	4580	cmd.exe	91
PID 4580 wrote to memory of 3872	4580	cmd.exe	91
PID 4580 wrote to memory of 4904	4580	cmd.exe	92
PID 4580 wrote to memory of 4904	4580	cmd.exe	92
PID 4580 wrote to memory of 4904	4580	cmd.exe	92
PID 4580 wrote to memory of 352	4580	cmd.exe	93
PID 4580 wrote to memory of 352	4580	cmd.exe	93
PID 4580 wrote to memory of 352	4580	cmd.exe	93
PID 4580 wrote to memory of 228	4580	cmd.exe	94
PID 4580 wrote to memory of 228	4580	cmd.exe	94
PID 4580 wrote to memory of 228	4580	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
"C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:N"
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:R" /E
      4⤵
      PID:228

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\275444769369

Filesize
83KB

MD5
943e58f68d04aad64f0f4e0eac5a6bb8

SHA1
2a76bb1f399e0fb7d1d07b4e0f522e846fb2101c

SHA256
1c6eeefd99228fea921e66c3d19c55aeddda15380c8c58b5a3c79fe644361071

SHA512
fb5f7faca93aba7107b34d4b12a52a171bd4ab804af6b646667cb469ede20066cbda9ed8b638e73112a808a1eae972e70256f028f2dadde0b1789da79717fb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
memory/2152-193-0x0000000000FC0000-0x0000000001807000-memory.dmp

Filesize
8.3MB

Download
memory/2152-192-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/2152-191-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2152-190-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2152-189-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2152-188-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2152-187-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2696-183-0x0000000000FC0000-0x0000000001807000-memory.dmp

Filesize
8.3MB

Download
memory/2696-178-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2696-177-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2696-182-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2696-181-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2696-179-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2696-180-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3768-154-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3768-156-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3768-158-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3768-159-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3768-155-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3768-160-0x0000000000FC0000-0x0000000001807000-memory.dmp

Filesize
8.3MB

Download
memory/3768-157-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4124-133-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4124-137-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/4124-138-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/4124-135-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4124-136-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/4124-139-0x0000000000500000-0x0000000000D47000-memory.dmp

Filesize
8.3MB

Download
memory/4124-134-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads