amadey | fd3b8c678ab187c425cdad9a4be8aa066782d9bdceb88a3dcaa19e56f170ef25

General

Target

93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
Size

1.5MB
MD5

6866f4e7450d085b19ad1aa9adaca819
SHA1

4afc3a0de610f45dbf8eb83da2a16052c2a81b01
SHA256

93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e
SHA512

4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8
SSDEEP

24576:NQIsq2Q2GOAO4fCCy7gtsICmEly/nDBRyqni3xbU4eWxDJ3YsXv6+tH9ZPz1:NQIsq2Q2GOAO4fCZ7YsL8/KqihAsxDJX

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://65.108.99.238

http://brodoyouevenlift.co.za

Attributes

strings_key
bda044f544861e32e95f5d49b3939bcc
url_paths
/yXNwKVfkS28Y/index.php

/g5ddWs/index.php

/pOVxaw24d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Suspicious use of SetThreadContext 1 IoCs

Processes:

93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

description	pid	process	target process
PID 1700 set thread context of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2756 1644 WerFault.exe 93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

description pid process

Token: SeDebugPrivilege 1700 93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

pid	pid_target	process	target process
2756	1644	WerFault.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

description	pid	process
Token: SeDebugPrivilege	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe

C:\Users\Admin\AppData\Local\Temp\93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
"C:\Users\Admin\AppData\Local\Temp\93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
C:\Users\Admin\AppData\Local\Temp\93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 160
3⤵
- Program crash
PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1644-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-7-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-21-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-18-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1644-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1644-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1700-5-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/1700-4-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/1700-2-0x0000000000A00000-0x0000000000A7A000-memory.dmp

Filesize
488KB

Download
memory/1700-0-0x0000000000A80000-0x0000000000BFA000-memory.dmp

Filesize
1.5MB

Download
memory/1700-6-0x0000000002170000-0x00000000021BC000-memory.dmp

Filesize
304KB

Download
memory/1700-1-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-20-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1700-3-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download

description	pid	process	target process
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1700 wrote to memory of 1644	1700	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe
PID 1644 wrote to memory of 2756	1644	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	WerFault.exe
PID 1644 wrote to memory of 2756	1644	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	WerFault.exe
PID 1644 wrote to memory of 2756	1644	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	WerFault.exe
PID 1644 wrote to memory of 2756	1644	93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e.exe	WerFault.exe

Analysis

Sharing