amadey | 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01

General

Target

172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
Size

6.9MB
MD5

56c197e493f74f9233a16cdefab3109f
SHA1

af35bd2fd5d884bdf6bea8aac695e98f5a00715a
SHA256

172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01
SHA512

d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086
SSDEEP

98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E

Score

10^/10

amadey trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://5.42.64.33/vu3skClDn/index.php

Attributes

install_dir
a304d35d74
install_file
yiueea.exe
strings_key
3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

VMProtect packed file 12 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2012-2-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2012-7-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2012-10-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2488-13-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2488-17-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2488-21-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2960-23-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2960-28-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2960-32-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2784-35-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2784-39-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect
behavioral1/memory/2784-42-0x0000000000CD0000-0x0000000001740000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe

pid	Process
2012	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
2488	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
2960	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
2784	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exetaskeng.exe

description	pid	Process	procid_target
PID 2012 wrote to memory of 2776	2012	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe	28
PID 2012 wrote to memory of 2776	2012	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe	28
PID 2012 wrote to memory of 2776	2012	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe	28
PID 2012 wrote to memory of 2776	2012	172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe	28
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2488	2764	taskeng.exe	32
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2960	2764	taskeng.exe	35
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36
PID 2764 wrote to memory of 2784	2764	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
"C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe /TR "C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:2776

C:\Windows\system32\taskeng.exe
taskeng.exe {4B49082B-88B0-449C-A925-390C436F8951} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
  C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2488
- C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
  C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
  C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-0-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2012-3-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2012-2-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2012-6-0x0000000077390000-0x0000000077391000-memory.dmp

Filesize
4KB

Download
memory/2012-5-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2012-7-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2012-10-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2488-17-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2488-16-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2488-13-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2488-18-0x0000000077390000-0x0000000077391000-memory.dmp

Filesize
4KB

Download
memory/2488-21-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2488-14-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2784-35-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2784-42-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2784-39-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2960-25-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2960-29-0x0000000077390000-0x0000000077391000-memory.dmp

Filesize
4KB

Download
memory/2960-32-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2960-28-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2960-23-0x0000000000CD0000-0x0000000001740000-memory.dmp

Filesize
10.4MB

Download
memory/2960-27-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads