amadey | dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

General

Target

ftewk.exe
Size

334KB
MD5

21a947b4e4a65510aa9188cc950bc943
SHA1

9ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256

dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512

358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
SSDEEP

6144:yTHdZRgemI+7bRjfY3hzVbYTwmpwkwtxxlHltWQImbvv/:yT9/gfI+7bRjfYRdgw+wkixjFUmr/

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.08

C2

http://193.106.191.201

Attributes

install_dir
b3dcf4c296
install_file
ftewk.exe
strings_key
cb8ccbe6da37d4a50d7be5c517c157de
url_paths
/panelis/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

ftewk.exe

pid process

2620 ftewk.exe
Loads dropped DLL 2 IoCs

Processes:

ftewk.exe

pid process

2472 ftewk.exe
2472 ftewk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2924 schtasks.exe

pid	process
2620	ftewk.exe

pid	process
2472	ftewk.exe
2472	ftewk.exe

pid	process
2924	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ftewk.exeftewk.execmd.exe

description	pid	process	target process
PID 2472 wrote to memory of 2620	2472	ftewk.exe	ftewk.exe
PID 2472 wrote to memory of 2620	2472	ftewk.exe	ftewk.exe
PID 2472 wrote to memory of 2620	2472	ftewk.exe	ftewk.exe
PID 2472 wrote to memory of 2620	2472	ftewk.exe	ftewk.exe
PID 2620 wrote to memory of 2660	2620	ftewk.exe	cmd.exe
PID 2620 wrote to memory of 2660	2620	ftewk.exe	cmd.exe
PID 2620 wrote to memory of 2660	2620	ftewk.exe	cmd.exe
PID 2620 wrote to memory of 2660	2620	ftewk.exe	cmd.exe
PID 2620 wrote to memory of 2924	2620	ftewk.exe	schtasks.exe
PID 2620 wrote to memory of 2924	2620	ftewk.exe	schtasks.exe
PID 2620 wrote to memory of 2924	2620	ftewk.exe	schtasks.exe
PID 2620 wrote to memory of 2924	2620	ftewk.exe	schtasks.exe
PID 2660 wrote to memory of 2852	2660	cmd.exe	reg.exe
PID 2660 wrote to memory of 2852	2660	cmd.exe	reg.exe
PID 2660 wrote to memory of 2852	2660	cmd.exe	reg.exe
PID 2660 wrote to memory of 2852	2660	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\ftewk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\
3⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\
4⤵
PID:2852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
memory/2472-1-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2472-3-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2472-2-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2472-14-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2472-15-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2620-17-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/2620-18-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2620-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2620-23-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/2620-25-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads