amadey | 17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

Analysis

max time kernel
274s
max time network
235s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
30/10/2023, 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5JV8BA2.exe
Size

220KB
MD5

32a48aa769cde5ccd0284514a5268295
SHA1

506e018bc6cf5602821d2b156cd98b99fdc58083
SHA256

17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182
SHA512

919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96
SSDEEP

6144:DEPAc72ss5pKL93yMax7pH3F2d1ugMeSWp:DE32xpoaxBFg1ugMeS

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 6 IoCs

pid	Process
2668	explothe.exe
2036	explothe.exe
2392	explothe.exe
2872	explothe.exe
2636	explothe.exe
2560	explothe.exe

Loads dropped DLL 5 IoCs

pid	Process
1168	5JV8BA2.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2720	schtasks.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2668	1168	5JV8BA2.exe	28
PID 1168 wrote to memory of 2668	1168	5JV8BA2.exe	28
PID 1168 wrote to memory of 2668	1168	5JV8BA2.exe	28
PID 1168 wrote to memory of 2668	1168	5JV8BA2.exe	28
PID 2668 wrote to memory of 2720	2668	explothe.exe	29
PID 2668 wrote to memory of 2720	2668	explothe.exe	29
PID 2668 wrote to memory of 2720	2668	explothe.exe	29
PID 2668 wrote to memory of 2720	2668	explothe.exe	29
PID 2668 wrote to memory of 2784	2668	explothe.exe	31
PID 2668 wrote to memory of 2784	2668	explothe.exe	31
PID 2668 wrote to memory of 2784	2668	explothe.exe	31
PID 2668 wrote to memory of 2784	2668	explothe.exe	31
PID 2784 wrote to memory of 2728	2784	cmd.exe	33
PID 2784 wrote to memory of 2728	2784	cmd.exe	33
PID 2784 wrote to memory of 2728	2784	cmd.exe	33
PID 2784 wrote to memory of 2728	2784	cmd.exe	33
PID 2784 wrote to memory of 1876	2784	cmd.exe	34
PID 2784 wrote to memory of 1876	2784	cmd.exe	34
PID 2784 wrote to memory of 1876	2784	cmd.exe	34
PID 2784 wrote to memory of 1876	2784	cmd.exe	34
PID 2784 wrote to memory of 2700	2784	cmd.exe	35
PID 2784 wrote to memory of 2700	2784	cmd.exe	35
PID 2784 wrote to memory of 2700	2784	cmd.exe	35
PID 2784 wrote to memory of 2700	2784	cmd.exe	35
PID 2784 wrote to memory of 2820	2784	cmd.exe	36
PID 2784 wrote to memory of 2820	2784	cmd.exe	36
PID 2784 wrote to memory of 2820	2784	cmd.exe	36
PID 2784 wrote to memory of 2820	2784	cmd.exe	36
PID 2784 wrote to memory of 2600	2784	cmd.exe	37
PID 2784 wrote to memory of 2600	2784	cmd.exe	37
PID 2784 wrote to memory of 2600	2784	cmd.exe	37
PID 2784 wrote to memory of 2600	2784	cmd.exe	37
PID 2784 wrote to memory of 2976	2784	cmd.exe	38
PID 2784 wrote to memory of 2976	2784	cmd.exe	38
PID 2784 wrote to memory of 2976	2784	cmd.exe	38
PID 2784 wrote to memory of 2976	2784	cmd.exe	38
PID 1936 wrote to memory of 2036	1936	taskeng.exe	41
PID 1936 wrote to memory of 2036	1936	taskeng.exe	41
PID 1936 wrote to memory of 2036	1936	taskeng.exe	41
PID 1936 wrote to memory of 2036	1936	taskeng.exe	41
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 2668 wrote to memory of 548	2668	explothe.exe	44
PID 1936 wrote to memory of 2392	1936	taskeng.exe	45
PID 1936 wrote to memory of 2392	1936	taskeng.exe	45
PID 1936 wrote to memory of 2392	1936	taskeng.exe	45
PID 1936 wrote to memory of 2392	1936	taskeng.exe	45
PID 1936 wrote to memory of 2872	1936	taskeng.exe	46
PID 1936 wrote to memory of 2872	1936	taskeng.exe	46
PID 1936 wrote to memory of 2872	1936	taskeng.exe	46
PID 1936 wrote to memory of 2872	1936	taskeng.exe	46
PID 1936 wrote to memory of 2636	1936	taskeng.exe	47
PID 1936 wrote to memory of 2636	1936	taskeng.exe	47
PID 1936 wrote to memory of 2636	1936	taskeng.exe	47
PID 1936 wrote to memory of 2636	1936	taskeng.exe	47
PID 1936 wrote to memory of 2560	1936	taskeng.exe	48
PID 1936 wrote to memory of 2560	1936	taskeng.exe	48
PID 1936 wrote to memory of 2560	1936	taskeng.exe	48
PID 1936 wrote to memory of 2560	1936	taskeng.exe	48

C:\Users\Admin\AppData\Local\Temp\5JV8BA2.exe
"C:\Users\Admin\AppData\Local\Temp\5JV8BA2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:548

C:\Windows\system32\taskeng.exe
taskeng.exe {AAF44A77-DB61-4737-BFF3-7C0A659BFB9A} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
220KB

MD5
32a48aa769cde5ccd0284514a5268295

SHA1
506e018bc6cf5602821d2b156cd98b99fdc58083

SHA256
17360926cf8bd0e46700cc88fcc0b018fea974933cceaa6cffeaba7fed825182

SHA512
919d0a5c9a52f6410e8015d7908de01abc593acd642b3aaacf0e8088069dccd3a6cca5b167fa8171f24efd7cec56150ab3575a405747dd03cee3ddce25700a96

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads