amadey | c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

Analysis

max time kernel
250s
max time network
255s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-09-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u8542029.exe
Size

316KB
MD5

9be7155d4a92aee655188c13f3fb8a77
SHA1

fb89091adce9edb48f90539154d566b710df5f3e
SHA256

c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8
SHA512

e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc
SSDEEP

6144:zR/tsQnf6X0M6+koYhXMxjwigfwfgbePu97rrAOQ322222KTq:zRlHVckoaXMxcePu97Hg22222iq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Attributes

install_dir
ebb444342c
install_file
legosa.exe
strings_key
0b59a358b8646634fe523e0d5fe7fc43

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 6 IoCs

pid	Process
1484	legosa.exe
2536	legosa.exe
2832	legosa.exe
1036	legosa.exe
836	legosa.exe
2240	legosa.exe

Loads dropped DLL 5 IoCs

pid	Process
2404	u8542029.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3024	schtasks.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1484	2404	u8542029.exe	28
PID 2404 wrote to memory of 1484	2404	u8542029.exe	28
PID 2404 wrote to memory of 1484	2404	u8542029.exe	28
PID 2404 wrote to memory of 1484	2404	u8542029.exe	28
PID 1484 wrote to memory of 3024	1484	legosa.exe	29
PID 1484 wrote to memory of 3024	1484	legosa.exe	29
PID 1484 wrote to memory of 3024	1484	legosa.exe	29
PID 1484 wrote to memory of 3024	1484	legosa.exe	29
PID 1484 wrote to memory of 2628	1484	legosa.exe	31
PID 1484 wrote to memory of 2628	1484	legosa.exe	31
PID 1484 wrote to memory of 2628	1484	legosa.exe	31
PID 1484 wrote to memory of 2628	1484	legosa.exe	31
PID 2628 wrote to memory of 2760	2628	cmd.exe	33
PID 2628 wrote to memory of 2760	2628	cmd.exe	33
PID 2628 wrote to memory of 2760	2628	cmd.exe	33
PID 2628 wrote to memory of 2760	2628	cmd.exe	33
PID 2628 wrote to memory of 2732	2628	cmd.exe	34
PID 2628 wrote to memory of 2732	2628	cmd.exe	34
PID 2628 wrote to memory of 2732	2628	cmd.exe	34
PID 2628 wrote to memory of 2732	2628	cmd.exe	34
PID 2628 wrote to memory of 2728	2628	cmd.exe	35
PID 2628 wrote to memory of 2728	2628	cmd.exe	35
PID 2628 wrote to memory of 2728	2628	cmd.exe	35
PID 2628 wrote to memory of 2728	2628	cmd.exe	35
PID 2628 wrote to memory of 2772	2628	cmd.exe	36
PID 2628 wrote to memory of 2772	2628	cmd.exe	36
PID 2628 wrote to memory of 2772	2628	cmd.exe	36
PID 2628 wrote to memory of 2772	2628	cmd.exe	36
PID 2628 wrote to memory of 2612	2628	cmd.exe	37
PID 2628 wrote to memory of 2612	2628	cmd.exe	37
PID 2628 wrote to memory of 2612	2628	cmd.exe	37
PID 2628 wrote to memory of 2612	2628	cmd.exe	37
PID 2628 wrote to memory of 2856	2628	cmd.exe	38
PID 2628 wrote to memory of 2856	2628	cmd.exe	38
PID 2628 wrote to memory of 2856	2628	cmd.exe	38
PID 2628 wrote to memory of 2856	2628	cmd.exe	38
PID 2564 wrote to memory of 2536	2564	taskeng.exe	41
PID 2564 wrote to memory of 2536	2564	taskeng.exe	41
PID 2564 wrote to memory of 2536	2564	taskeng.exe	41
PID 2564 wrote to memory of 2536	2564	taskeng.exe	41
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 1484 wrote to memory of 2700	1484	legosa.exe	44
PID 2564 wrote to memory of 2832	2564	taskeng.exe	45
PID 2564 wrote to memory of 2832	2564	taskeng.exe	45
PID 2564 wrote to memory of 2832	2564	taskeng.exe	45
PID 2564 wrote to memory of 2832	2564	taskeng.exe	45
PID 2564 wrote to memory of 1036	2564	taskeng.exe	46
PID 2564 wrote to memory of 1036	2564	taskeng.exe	46
PID 2564 wrote to memory of 1036	2564	taskeng.exe	46
PID 2564 wrote to memory of 1036	2564	taskeng.exe	46
PID 2564 wrote to memory of 836	2564	taskeng.exe	47
PID 2564 wrote to memory of 836	2564	taskeng.exe	47
PID 2564 wrote to memory of 836	2564	taskeng.exe	47
PID 2564 wrote to memory of 836	2564	taskeng.exe	47
PID 2564 wrote to memory of 2240	2564	taskeng.exe	48
PID 2564 wrote to memory of 2240	2564	taskeng.exe	48
PID 2564 wrote to memory of 2240	2564	taskeng.exe	48
PID 2564 wrote to memory of 2240	2564	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\u8542029.exe
"C:\Users\Admin\AppData\Local\Temp\u8542029.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legosa.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legosa.exe" /P "Admin:N"&&CACLS "legosa.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legosa.exe" /P "Admin:N"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legosa.exe" /P "Admin:R" /E
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\ebb444342c" /P "Admin:N"
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\ebb444342c" /P "Admin:R" /E
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {981C4976-DDEB-4137-B54B-E007A072701B} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  2⤵
  - Executes dropped EXE
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads