amadey | 93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

Analysis

max time kernel
251s
max time network
253s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-09-2023 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t6665744.exe
Size

315KB
MD5

05ac4bd3218eb17e8034db0341254594
SHA1

c742bd02fa93cbce295f20c24b8e0415d7f6b5ac
SHA256

93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d
SHA512

68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac
SSDEEP

6144:zR/tsQnf6X0M6+koYhXMxjwigfwfgbePu97rrAOQ322222KTq:zRlHVckoaXMxcePu97Hg22222iq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Attributes

install_dir
ebb444342c
install_file
legosa.exe
strings_key
0b59a358b8646634fe523e0d5fe7fc43

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 6 IoCs

pid	Process
2044	legosa.exe
2984	legosa.exe
2880	legosa.exe
1668	legosa.exe
1568	legosa.exe
584	legosa.exe

Loads dropped DLL 5 IoCs

pid	Process
2392	t6665744.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2076	schtasks.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2044	2392	t6665744.exe	28
PID 2392 wrote to memory of 2044	2392	t6665744.exe	28
PID 2392 wrote to memory of 2044	2392	t6665744.exe	28
PID 2392 wrote to memory of 2044	2392	t6665744.exe	28
PID 2044 wrote to memory of 2076	2044	legosa.exe	29
PID 2044 wrote to memory of 2076	2044	legosa.exe	29
PID 2044 wrote to memory of 2076	2044	legosa.exe	29
PID 2044 wrote to memory of 2076	2044	legosa.exe	29
PID 2044 wrote to memory of 2604	2044	legosa.exe	31
PID 2044 wrote to memory of 2604	2044	legosa.exe	31
PID 2044 wrote to memory of 2604	2044	legosa.exe	31
PID 2044 wrote to memory of 2604	2044	legosa.exe	31
PID 2604 wrote to memory of 2736	2604	cmd.exe	33
PID 2604 wrote to memory of 2736	2604	cmd.exe	33
PID 2604 wrote to memory of 2736	2604	cmd.exe	33
PID 2604 wrote to memory of 2736	2604	cmd.exe	33
PID 2604 wrote to memory of 2760	2604	cmd.exe	34
PID 2604 wrote to memory of 2760	2604	cmd.exe	34
PID 2604 wrote to memory of 2760	2604	cmd.exe	34
PID 2604 wrote to memory of 2760	2604	cmd.exe	34
PID 2604 wrote to memory of 2612	2604	cmd.exe	35
PID 2604 wrote to memory of 2612	2604	cmd.exe	35
PID 2604 wrote to memory of 2612	2604	cmd.exe	35
PID 2604 wrote to memory of 2612	2604	cmd.exe	35
PID 2604 wrote to memory of 2584	2604	cmd.exe	36
PID 2604 wrote to memory of 2584	2604	cmd.exe	36
PID 2604 wrote to memory of 2584	2604	cmd.exe	36
PID 2604 wrote to memory of 2584	2604	cmd.exe	36
PID 2604 wrote to memory of 652	2604	cmd.exe	37
PID 2604 wrote to memory of 652	2604	cmd.exe	37
PID 2604 wrote to memory of 652	2604	cmd.exe	37
PID 2604 wrote to memory of 652	2604	cmd.exe	37
PID 2604 wrote to memory of 2776	2604	cmd.exe	38
PID 2604 wrote to memory of 2776	2604	cmd.exe	38
PID 2604 wrote to memory of 2776	2604	cmd.exe	38
PID 2604 wrote to memory of 2776	2604	cmd.exe	38
PID 2532 wrote to memory of 2984	2532	taskeng.exe	41
PID 2532 wrote to memory of 2984	2532	taskeng.exe	41
PID 2532 wrote to memory of 2984	2532	taskeng.exe	41
PID 2532 wrote to memory of 2984	2532	taskeng.exe	41
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2044 wrote to memory of 2856	2044	legosa.exe	44
PID 2532 wrote to memory of 2880	2532	taskeng.exe	45
PID 2532 wrote to memory of 2880	2532	taskeng.exe	45
PID 2532 wrote to memory of 2880	2532	taskeng.exe	45
PID 2532 wrote to memory of 2880	2532	taskeng.exe	45
PID 2532 wrote to memory of 1668	2532	taskeng.exe	46
PID 2532 wrote to memory of 1668	2532	taskeng.exe	46
PID 2532 wrote to memory of 1668	2532	taskeng.exe	46
PID 2532 wrote to memory of 1668	2532	taskeng.exe	46
PID 2532 wrote to memory of 1568	2532	taskeng.exe	47
PID 2532 wrote to memory of 1568	2532	taskeng.exe	47
PID 2532 wrote to memory of 1568	2532	taskeng.exe	47
PID 2532 wrote to memory of 1568	2532	taskeng.exe	47
PID 2532 wrote to memory of 584	2532	taskeng.exe	48
PID 2532 wrote to memory of 584	2532	taskeng.exe	48
PID 2532 wrote to memory of 584	2532	taskeng.exe	48
PID 2532 wrote to memory of 584	2532	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\t6665744.exe
"C:\Users\Admin\AppData\Local\Temp\t6665744.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legosa.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legosa.exe" /P "Admin:N"&&CACLS "legosa.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legosa.exe" /P "Admin:N"
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legosa.exe" /P "Admin:R" /E
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\ebb444342c" /P "Admin:N"
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\ebb444342c" /P "Admin:R" /E
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2856

C:\Windows\system32\taskeng.exe
taskeng.exe {6C2F3B7D-DC61-40E1-8045-5EB834587B14} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
05ac4bd3218eb17e8034db0341254594

SHA1
c742bd02fa93cbce295f20c24b8e0415d7f6b5ac

SHA256
93c2adf6f76338ef8d08d143d8cd26f049f176fdb69354c9dac58413f6b4eb1d

SHA512
68e430253ebb844bb34cf35822fa8e413384be217215818aedb4d405175e6b04c811f1d2489531f386a887541a1eaf161d86f1ed0382bef424354ddb3edc56ac

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads