amadey | c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amday_JC.exe
Size

2.3MB
MD5

aa486e83365ae67a5778758685ca4d6f
SHA1

633e328f5deb9c09e99368fa25f6deca4a601bbb
SHA256

c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7
SHA512

e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd
SSDEEP

24576:hH1FcclmgReLIGaIhJxSJ2lKZZAsKQ7F1RBdaBZZR0DBfg92KVOikDlbnJ6dT17x:DlbKxF8qg11A1o6Xqm

Score

10^/10

amadey persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

45.9.74.182/b7djSDcPcZ/index.php

Attributes

install_dir
f3f10bd848
install_file
bstyoops.exe
strings_key
05986a1cda6dc6caabf469f27fb6c32d

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\burembajotfvn.lnk	amday_JC.exe

Loads dropped DLL 9 IoCs

pid	Process
324	rundll32.exe
324	rundll32.exe
324	rundll32.exe
324	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
2552	amday_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\so64x.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\so64x.dll, rundll"	jsc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 2496	2552	amday_JC.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	amday_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	amday_JC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2712	2552	amday_JC.exe	28
PID 2552 wrote to memory of 2712	2552	amday_JC.exe	28
PID 2552 wrote to memory of 2712	2552	amday_JC.exe	28
PID 2552 wrote to memory of 2712	2552	amday_JC.exe	28
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2552 wrote to memory of 2496	2552	amday_JC.exe	29
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 2496 wrote to memory of 324	2496	jsc.exe	32
PID 324 wrote to memory of 2732	324	rundll32.exe	33
PID 324 wrote to memory of 2732	324	rundll32.exe	33
PID 324 wrote to memory of 2732	324	rundll32.exe	33
PID 324 wrote to memory of 2732	324	rundll32.exe	33

C:\Users\Admin\AppData\Local\Temp\amday_JC.exe
"C:\Users\Admin\AppData\Local\Temp\amday_JC.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll, rundll
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll, rundll
      4⤵
      Loads dropped DLL
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\AppData\Local\Temp\1000058061\so64x.dll

Filesize
5.0MB

MD5
3591f963577e1729216989553dc5edf9

SHA1
4451b75b5d4a7225f4663b8e14167616991e5832

SHA256
c246fa2cf020ac9401a6aa6d8ab552057ec79734ceabeca43c0e5ad1d85d6cb4

SHA512
9e35c0ba83bcc455f534997adf28b58c253958087a264827734135caa9243912340fbc271e764ac7209121202cb9e1d5b37fd6f2eb312b6d17a6a02850f6818e

Download Submit
\Users\Admin\Videos\burembajotfvn.exe

Filesize
2.3MB

MD5
aa486e83365ae67a5778758685ca4d6f

SHA1
633e328f5deb9c09e99368fa25f6deca4a601bbb

SHA256
c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7

SHA512
e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

Download Submit
memory/324-61-0x0000000001FF0000-0x0000000002CA4000-memory.dmp

Filesize
12.7MB

Download
memory/324-58-0x0000000001FF0000-0x0000000002CA4000-memory.dmp

Filesize
12.7MB

Download
memory/324-60-0x0000000001FF0000-0x0000000002CA4000-memory.dmp

Filesize
12.7MB

Download
memory/324-64-0x0000000001FF0000-0x0000000002CA4000-memory.dmp

Filesize
12.7MB

Download
memory/2496-33-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-42-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-34-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-41-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2496-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2496-38-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2552-19-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-9-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-29-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2552-23-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-25-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-27-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-21-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-15-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-17-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-11-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-13-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-7-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-5-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-4-0x00000000002A0000-0x00000000002B5000-memory.dmp

Filesize
84KB

Download
memory/2552-3-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2552-74-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-0-0x0000000001140000-0x0000000001388000-memory.dmp

Filesize
2.3MB

Download
memory/2552-2-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-28-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2552-67-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2732-66-0x0000000180000000-0x0000000180CB4000-memory.dmp

Filesize
12.7MB

Download
memory/2732-63-0x0000000180000000-0x0000000180CB4000-memory.dmp

Filesize
12.7MB

Download
memory/2732-62-0x0000000180000000-0x0000000180CB4000-memory.dmp

Filesize
12.7MB

Download