amadey | afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

General

Target

0x00060000000162e0-52.exe
Size

313KB
MD5

b1ddc0d016640f8f31dee59948bfeea8
SHA1

d10117c0c5a2ce9adddb84ab3c067f43b5f39a36
SHA256

afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd
SHA512

01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a
SSDEEP

6144:SR9eh569+UR6P3zIwkp4p2k/DPaZHwc3eoe6u17MgAOIMs8Bq:Sfm5BB7kpi2k/ae6u17pa8Bq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	0x00060000000162e0-52.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 4 IoCs

pid	Process
5028	saves.exe
2564	saves.exe
4868	saves.exe
4264	saves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3400	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 5028	4560	0x00060000000162e0-52.exe	86
PID 4560 wrote to memory of 5028	4560	0x00060000000162e0-52.exe	86
PID 4560 wrote to memory of 5028	4560	0x00060000000162e0-52.exe	86
PID 5028 wrote to memory of 3400	5028	saves.exe	87
PID 5028 wrote to memory of 3400	5028	saves.exe	87
PID 5028 wrote to memory of 3400	5028	saves.exe	87
PID 5028 wrote to memory of 3692	5028	saves.exe	89
PID 5028 wrote to memory of 3692	5028	saves.exe	89
PID 5028 wrote to memory of 3692	5028	saves.exe	89
PID 3692 wrote to memory of 3452	3692	cmd.exe	92
PID 3692 wrote to memory of 3452	3692	cmd.exe	92
PID 3692 wrote to memory of 3452	3692	cmd.exe	92
PID 3692 wrote to memory of 3892	3692	cmd.exe	93
PID 3692 wrote to memory of 3892	3692	cmd.exe	93
PID 3692 wrote to memory of 3892	3692	cmd.exe	93
PID 3692 wrote to memory of 4860	3692	cmd.exe	94
PID 3692 wrote to memory of 4860	3692	cmd.exe	94
PID 3692 wrote to memory of 4860	3692	cmd.exe	94
PID 3692 wrote to memory of 5040	3692	cmd.exe	95
PID 3692 wrote to memory of 5040	3692	cmd.exe	95
PID 3692 wrote to memory of 5040	3692	cmd.exe	95
PID 3692 wrote to memory of 2328	3692	cmd.exe	96
PID 3692 wrote to memory of 2328	3692	cmd.exe	96
PID 3692 wrote to memory of 2328	3692	cmd.exe	96
PID 3692 wrote to memory of 3880	3692	cmd.exe	97
PID 3692 wrote to memory of 3880	3692	cmd.exe	97
PID 3692 wrote to memory of 3880	3692	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\0x00060000000162e0-52.exe
"C:\Users\Admin\AppData\Local\Temp\0x00060000000162e0-52.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "saves.exe" /P "Admin:N"
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "saves.exe" /P "Admin:R" /E
      4⤵
      PID:4860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5040
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\b40d11255d" /P "Admin:N"
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\b40d11255d" /P "Admin:R" /E
      4⤵
      PID:3880

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads