amadey | a814d42d2ba2d7635c40a950022a0230d01475019a8b8e64d6d7bcdf27ef09d7

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2023 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jv16.exe
Size

4.6MB
MD5

03ddc6603e7cf29688920b84e749971e
SHA1

f449e1ccfdad0c22c923ff15e89f9ce706e18b75
SHA256

a814d42d2ba2d7635c40a950022a0230d01475019a8b8e64d6d7bcdf27ef09d7
SHA512

ed43df17ff0dc5634b0f5689569156d0076865b806840e9d8fe2a340f16eef444d97c04e66480f538987e74c631737665332319ce6827737e61b2bfb93965650
SSDEEP

98304:P8XgqZOxDua4RFd5qn+v9CU6UdSlY1b9WoTIrTDwUw:PGZ0Du3h5qn+vQU0Qb9WoTIrPwUw

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.86

ocmtancmi2c4t.xyz/9bDc8sQ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4436 created 2604	4436	jv16.exe	14

Executes dropped EXE 1 IoCs

pid	Process
4496	pythonw.exe

Loads dropped DLL 2 IoCs

pid	Process
4496	pythonw.exe
4496	pythonw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4496 set thread context of 4176	4496	pythonw.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4436	jv16.exe
4436	jv16.exe
4496	pythonw.exe
4176	ftp.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4496	pythonw.exe
4176	ftp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4496	4436	jv16.exe	86
PID 4436 wrote to memory of 4496	4436	jv16.exe	86
PID 4496 wrote to memory of 4176	4496	pythonw.exe	87
PID 4496 wrote to memory of 4176	4496	pythonw.exe	87
PID 4496 wrote to memory of 4176	4496	pythonw.exe	87
PID 4496 wrote to memory of 4176	4496	pythonw.exe	87
PID 4176 wrote to memory of 3328	4176	ftp.exe	100
PID 4176 wrote to memory of 3328	4176	ftp.exe	100
PID 4176 wrote to memory of 3328	4176	ftp.exe	100
PID 4176 wrote to memory of 3328	4176	ftp.exe	100
PID 4176 wrote to memory of 3328	4176	ftp.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2604
- C:\Users\Admin\AppData\Local\Temp\jv16.exe
  "C:\Users\Admin\AppData\Local\Temp\jv16.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4436
- C:\Users\Admin\AppData\Roaming\XAudio2_9\pythonw.exe
  "C:\Users\Admin\AppData\Roaming\XAudio2_9\pythonw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\ftp.exe
    "C:\Windows\SysWOW64\ftp.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\SysWOW64\certutil.exe"
      4⤵
      PID:3328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\158e9ba5

Filesize
649KB

MD5
5f15be0509cc245572c6ef9bc244a83d

SHA1
e230af44504e0337f8575a5b2b02cc2c838d55c8

SHA256
59025fd998ccefc38fa158048e1dbf4f064dbd6b67d1c07fdce0b8fc6751f84d

SHA512
8698f35dc3f9eaf9cbfed2c00b945df294d5ef1817a2e9760848a4db3479250aecff8f1989dd40b66ad52179ad5acda2ace7ee9dc8005c7b1caa1f9962a54e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\195054982429

Filesize
78KB

MD5
904c12b2474bc1fcff3ef3161355d6fa

SHA1
f0dd021672b37b7f6fbd9ec31352d5b919e31cf1

SHA256
dbb1a21de3aa81650f9c5be346e69c759ce18301aff0d96cff1c4746fefb44f5

SHA512
0f3abbd92200f69a38ab936882f490175684f2abc90f13ea9749130d078ca44d7701c389f93c9e64c26b376a2f7e592161e6609055e1b692e9674541cce869dc

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\pw.txt

Filesize
570KB

MD5
c1f83b015698a5cdb20c61be1a95236d

SHA1
7ada55f5c7122a4dc74e262bfa02966b123d0543

SHA256
6c5a7b357fe16a51f5b7fc703a010c87ad58f8f087091f4a656c15f7ec63f025

SHA512
ce97110b0e3bdd96a60c0c14971725925e9d3ce614e88497668d1839cc5dec19e525393569a08f82e6545c9f74c44f06d2d63c58f3d9ce0c887fb3916ecdc17d

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\python311.dll

Filesize
5.5MB

MD5
313ee61a1a1ed13c4f9006b3cc29f763

SHA1
cfe139faf6b89f5314455606adb5803096512d9c

SHA256
e4fe542f79b7a3b556ed7e823088a1ec69777c5190e7571d1c602742fae5a9f7

SHA512
5cd8aa9d2ab506cc81b653d7b20e631f3460cc66ce3e54538d9a750a915e0b8ced860c7475e07b9a2a04f5675797e544d5409d0989de5236868baefeb006679d

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\python311.dll

Filesize
5.5MB

MD5
313ee61a1a1ed13c4f9006b3cc29f763

SHA1
cfe139faf6b89f5314455606adb5803096512d9c

SHA256
e4fe542f79b7a3b556ed7e823088a1ec69777c5190e7571d1c602742fae5a9f7

SHA512
5cd8aa9d2ab506cc81b653d7b20e631f3460cc66ce3e54538d9a750a915e0b8ced860c7475e07b9a2a04f5675797e544d5409d0989de5236868baefeb006679d

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\pythonw.exe

Filesize
99KB

MD5
9d0f19a3fdf077fc90cb1055018669fd

SHA1
0a5ade59ac8a697f6ea7f437be85e2d378597d5d

SHA256
695ec4080f596f485e4e36de383a32f18042bc13620cf93ba5708ec354b6ca0d

SHA512
ad4eb8f3a99122aff390b32de6394b604144c6bf5caa393cfe3b02c8c5df9508d346fb88e0d2c72591a05b5340937ee85f6b244583db9d19deecb2115de6d69e

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\pythonw.exe

Filesize
99KB

MD5
9d0f19a3fdf077fc90cb1055018669fd

SHA1
0a5ade59ac8a697f6ea7f437be85e2d378597d5d

SHA256
695ec4080f596f485e4e36de383a32f18042bc13620cf93ba5708ec354b6ca0d

SHA512
ad4eb8f3a99122aff390b32de6394b604144c6bf5caa393cfe3b02c8c5df9508d346fb88e0d2c72591a05b5340937ee85f6b244583db9d19deecb2115de6d69e

Download Submit
C:\Users\Admin\AppData\Roaming\XAudio2_9\vcruntime140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
memory/3328-159-0x00000000009C0000-0x00000000009FF000-memory.dmp

Filesize
252KB

Download
memory/3328-160-0x00007FFA5AD90000-0x00007FFA5AF85000-memory.dmp

Filesize
2.0MB

Download
memory/3328-161-0x00000000009C0000-0x00000000009FF000-memory.dmp

Filesize
252KB

Download
memory/3328-163-0x0000000000F10000-0x000000000104F000-memory.dmp

Filesize
1.2MB

Download
memory/3328-173-0x00000000009C0000-0x00000000009FF000-memory.dmp

Filesize
252KB

Download
memory/3328-174-0x00000000009C0000-0x00000000009FF000-memory.dmp

Filesize
252KB

Download
memory/4176-155-0x00007FFA5AD90000-0x00007FFA5AF85000-memory.dmp

Filesize
2.0MB

Download
memory/4436-133-0x00007FFA49A70000-0x00007FFA49D9D000-memory.dmp

Filesize
3.2MB

Download
memory/4436-148-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/4496-152-0x00007FFA3BA20000-0x00007FFA3D097000-memory.dmp

Filesize
22.5MB

Download