amadey | bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0005000000018fd8-86.exe
Size

227KB
MD5

abd8f8d207c829721ce5a4bfe0f84750
SHA1

55ecd2353e098e1b2856320bef2b1502c7db4669
SHA256

bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe
SHA512

e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d
SSDEEP

3072:oTzC4usLP+wOULUFAB3i9nyRA4/Prk3huiPFSbuZRuNcZVKOUm8LHIMbffWtsm3:oTzYsLdf/Rity237PFHRuNcPKOK3+

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.85

77.91.68.3/home/love/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	0x0005000000018fd8-86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 4 IoCs

pid	Process
2332	danke.exe
2084	danke.exe
3504	danke.exe
4324	danke.exe

Loads dropped DLL 1 IoCs

pid	Process
1008	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4488	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5044	0x0005000000018fd8-86.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 2332	5044	0x0005000000018fd8-86.exe	84
PID 5044 wrote to memory of 2332	5044	0x0005000000018fd8-86.exe	84
PID 5044 wrote to memory of 2332	5044	0x0005000000018fd8-86.exe	84
PID 2332 wrote to memory of 4488	2332	danke.exe	85
PID 2332 wrote to memory of 4488	2332	danke.exe	85
PID 2332 wrote to memory of 4488	2332	danke.exe	85
PID 2332 wrote to memory of 4256	2332	danke.exe	87
PID 2332 wrote to memory of 4256	2332	danke.exe	87
PID 2332 wrote to memory of 4256	2332	danke.exe	87
PID 4256 wrote to memory of 2460	4256	cmd.exe	89
PID 4256 wrote to memory of 2460	4256	cmd.exe	89
PID 4256 wrote to memory of 2460	4256	cmd.exe	89
PID 4256 wrote to memory of 4560	4256	cmd.exe	90
PID 4256 wrote to memory of 4560	4256	cmd.exe	90
PID 4256 wrote to memory of 4560	4256	cmd.exe	90
PID 4256 wrote to memory of 480	4256	cmd.exe	91
PID 4256 wrote to memory of 480	4256	cmd.exe	91
PID 4256 wrote to memory of 480	4256	cmd.exe	91
PID 4256 wrote to memory of 5096	4256	cmd.exe	92
PID 4256 wrote to memory of 5096	4256	cmd.exe	92
PID 4256 wrote to memory of 5096	4256	cmd.exe	92
PID 4256 wrote to memory of 4636	4256	cmd.exe	93
PID 4256 wrote to memory of 4636	4256	cmd.exe	93
PID 4256 wrote to memory of 4636	4256	cmd.exe	93
PID 4256 wrote to memory of 396	4256	cmd.exe	94
PID 4256 wrote to memory of 396	4256	cmd.exe	94
PID 4256 wrote to memory of 396	4256	cmd.exe	94
PID 2332 wrote to memory of 1008	2332	danke.exe	110
PID 2332 wrote to memory of 1008	2332	danke.exe	110
PID 2332 wrote to memory of 1008	2332	danke.exe	110

C:\Users\Admin\AppData\Local\Temp\0x0005000000018fd8-86.exe
"C:\Users\Admin\AppData\Local\Temp\0x0005000000018fd8-86.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "danke.exe" /P "Admin:N"
      4⤵
      PID:4560
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "danke.exe" /P "Admin:R" /E
      4⤵
      PID:480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\3ec1f323b5" /P "Admin:N"
      4⤵
      PID:4636
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\3ec1f323b5" /P "Admin:R" /E
      4⤵
      PID:396
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1008

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
227KB

MD5
abd8f8d207c829721ce5a4bfe0f84750

SHA1
55ecd2353e098e1b2856320bef2b1502c7db4669

SHA256
bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

SHA512
e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
227KB

MD5
abd8f8d207c829721ce5a4bfe0f84750

SHA1
55ecd2353e098e1b2856320bef2b1502c7db4669

SHA256
bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

SHA512
e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
227KB

MD5
abd8f8d207c829721ce5a4bfe0f84750

SHA1
55ecd2353e098e1b2856320bef2b1502c7db4669

SHA256
bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

SHA512
e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
227KB

MD5
abd8f8d207c829721ce5a4bfe0f84750

SHA1
55ecd2353e098e1b2856320bef2b1502c7db4669

SHA256
bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

SHA512
e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
227KB

MD5
abd8f8d207c829721ce5a4bfe0f84750

SHA1
55ecd2353e098e1b2856320bef2b1502c7db4669

SHA256
bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

SHA512
e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
227KB

MD5
abd8f8d207c829721ce5a4bfe0f84750

SHA1
55ecd2353e098e1b2856320bef2b1502c7db4669

SHA256
bf7c1d8f8bb76eeba3a63a7067a70b4aecaaff66d9fe4edd0d52e7846030b0fe

SHA512
e3a4315864a815c33c8035e66e409f315ea871f2f61b5ea83eab0b1f30de07fde0dfe511a81a21945bcd693912fffc48e159bdfea416511982a9c8876553e27d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
272B

MD5
d867eabb1be5b45bc77bb06814e23640

SHA1
3139a51ce7e8462c31070363b9532c13cc52c82d

SHA256
38c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349

SHA512
afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads