amadey | 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01

General

Target

SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
Size

6.9MB
MD5

56c197e493f74f9233a16cdefab3109f
SHA1

af35bd2fd5d884bdf6bea8aac695e98f5a00715a
SHA256

172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01
SHA512

d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086
SSDEEP

98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E

Score

10^/10

amadey trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://5.42.64.33/vu3skClDn/index.php

Attributes

install_dir
a304d35d74
install_file
yiueea.exe
strings_key
3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4968-1-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/4968-2-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/4968-5-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/3292-8-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/3292-7-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/3292-11-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/3472-14-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/3472-13-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect
behavioral2/memory/3472-17-0x0000000000020000-0x0000000000A90000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
4604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Win32.BotX-gen.30049.24820.exeSecuriteInfo.com.Win32.BotX-gen.30049.24820.exeSecuriteInfo.com.Win32.BotX-gen.30049.24820.exe

pid	Process
4968	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
4968	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
3292	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
3292	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
3472	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
3472	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe

description	pid	Process	procid_target
PID 4968 wrote to memory of 4604	4968	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe	85
PID 4968 wrote to memory of 4604	4968	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe	85
PID 4968 wrote to memory of 4604	4968	SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe /TR "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:4604

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.BotX-gen.30049.24820.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3292-6-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3292-8-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/3292-7-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/3292-11-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/3472-12-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/3472-14-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/3472-13-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/3472-17-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/4968-0-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4968-1-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/4968-2-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download
memory/4968-5-0x0000000000020000-0x0000000000A90000-memory.dmp

Filesize
10.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads