amadey | 27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe
Size

243KB
MD5

eb4f61cdbba43d2b9b567e06a981f760
SHA1

b9738f36b4fb5451fa28cc23f0eff794d7b6b647
SHA256

27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359
SHA512

433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca
SSDEEP

6144:LEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:LE32xpoaxBFg1ugMeS

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
3060	explothe.exe

Loads dropped DLL 1 IoCs

pid	Process
2288	NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3060	2288	NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe	38
PID 2288 wrote to memory of 3060	2288	NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe	38
PID 2288 wrote to memory of 3060	2288	NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe	38
PID 2288 wrote to memory of 3060	2288	NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe	38
PID 3060 wrote to memory of 2600	3060	explothe.exe	29
PID 3060 wrote to memory of 2600	3060	explothe.exe	29
PID 3060 wrote to memory of 2600	3060	explothe.exe	29
PID 3060 wrote to memory of 2600	3060	explothe.exe	29
PID 3060 wrote to memory of 2648	3060	explothe.exe	31
PID 3060 wrote to memory of 2648	3060	explothe.exe	31
PID 3060 wrote to memory of 2648	3060	explothe.exe	31
PID 3060 wrote to memory of 2648	3060	explothe.exe	31
PID 2648 wrote to memory of 2768	2648	cmd.exe	37
PID 2648 wrote to memory of 2768	2648	cmd.exe	37
PID 2648 wrote to memory of 2768	2648	cmd.exe	37
PID 2648 wrote to memory of 2768	2648	cmd.exe	37
PID 2648 wrote to memory of 2936	2648	cmd.exe	36
PID 2648 wrote to memory of 2936	2648	cmd.exe	36
PID 2648 wrote to memory of 2936	2648	cmd.exe	36
PID 2648 wrote to memory of 2936	2648	cmd.exe	36
PID 2648 wrote to memory of 2616	2648	cmd.exe	32
PID 2648 wrote to memory of 2616	2648	cmd.exe	32
PID 2648 wrote to memory of 2616	2648	cmd.exe	32
PID 2648 wrote to memory of 2616	2648	cmd.exe	32
PID 2648 wrote to memory of 2356	2648	cmd.exe	35
PID 2648 wrote to memory of 2356	2648	cmd.exe	35
PID 2648 wrote to memory of 2356	2648	cmd.exe	35
PID 2648 wrote to memory of 2356	2648	cmd.exe	35
PID 2648 wrote to memory of 2920	2648	cmd.exe	34
PID 2648 wrote to memory of 2920	2648	cmd.exe	34
PID 2648 wrote to memory of 2920	2648	cmd.exe	34
PID 2648 wrote to memory of 2920	2648	cmd.exe	34
PID 2648 wrote to memory of 2828	2648	cmd.exe	33
PID 2648 wrote to memory of 2828	2648	cmd.exe	33
PID 2648 wrote to memory of 2828	2648	cmd.exe	33
PID 2648 wrote to memory of 2828	2648	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.eb4f61cdbba43d2b9b567e06a981f760.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
1⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\cacls.exe
  CACLS "explothe.exe" /P "Admin:R" /E
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cacls.exe
  CACLS "..\fefffe8cea" /P "Admin:R" /E
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cacls.exe
  CACLS "..\fefffe8cea" /P "Admin:N"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cacls.exe
  CACLS "explothe.exe" /P "Admin:N"
  2⤵
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
  2⤵
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
243KB

MD5
eb4f61cdbba43d2b9b567e06a981f760

SHA1
b9738f36b4fb5451fa28cc23f0eff794d7b6b647

SHA256
27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

SHA512
433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
243KB

MD5
eb4f61cdbba43d2b9b567e06a981f760

SHA1
b9738f36b4fb5451fa28cc23f0eff794d7b6b647

SHA256
27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

SHA512
433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
243KB

MD5
eb4f61cdbba43d2b9b567e06a981f760

SHA1
b9738f36b4fb5451fa28cc23f0eff794d7b6b647

SHA256
27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

SHA512
433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

Download Submit
\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
243KB

MD5
eb4f61cdbba43d2b9b567e06a981f760

SHA1
b9738f36b4fb5451fa28cc23f0eff794d7b6b647

SHA256
27a59b0d52380734f65d86eec8562d206300e3b64500017ba0157a17bd458359

SHA512
433473687f20b4c6de30e3f43625419c3c02fa4ee39989b599ffee3446ec2acf2f30ee94d375a55eb06ad0d8cb0ae06b6a5fe11e76f70d7a132d6b3ece23a4ca

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads