amadey | dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

General

Target

ftewk.exe
Size

334KB
MD5

21a947b4e4a65510aa9188cc950bc943
SHA1

9ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256

dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512

358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
SSDEEP

6144:yTHdZRgemI+7bRjfY3hzVbYTwmpwkwtxxlHltWQImbvv/:yT9/gfI+7bRjfYRdgw+wkixjFUmr/

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.08

C2

http://193.106.191.201

Attributes

install_dir
b3dcf4c296
install_file
ftewk.exe
strings_key
cb8ccbe6da37d4a50d7be5c517c157de
url_paths
/panelis/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ftewk.exeftewk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	ftewk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	ftewk.exe

Executes dropped EXE 2 IoCs

Processes:

ftewk.exeftewk.exe

pid process

2832 ftewk.exe
2612 ftewk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3936 2784 WerFault.exe ftewk.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4304 schtasks.exe

pid	process
2832	ftewk.exe
2612	ftewk.exe

pid	pid_target	process	target process
3936	2784	WerFault.exe	ftewk.exe

pid	process
4304	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ftewk.exeftewk.execmd.exe

description	pid	process	target process
PID 2784 wrote to memory of 2832	2784	ftewk.exe	ftewk.exe
PID 2784 wrote to memory of 2832	2784	ftewk.exe	ftewk.exe
PID 2784 wrote to memory of 2832	2784	ftewk.exe	ftewk.exe
PID 2832 wrote to memory of 1796	2832	ftewk.exe	cmd.exe
PID 2832 wrote to memory of 1796	2832	ftewk.exe	cmd.exe
PID 2832 wrote to memory of 1796	2832	ftewk.exe	cmd.exe
PID 2832 wrote to memory of 4304	2832	ftewk.exe	schtasks.exe
PID 2832 wrote to memory of 4304	2832	ftewk.exe	schtasks.exe
PID 2832 wrote to memory of 4304	2832	ftewk.exe	schtasks.exe
PID 1796 wrote to memory of 868	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 868	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 868	1796	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\ftewk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\
3⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\
4⤵
PID:868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1096
2⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2784 -ip 2784
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe
1⤵
- Executes dropped EXE
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\506940634330

Filesize
82KB

MD5
09f4b0f05ca4325ef3259adaf21551a6

SHA1
dae389d1f32c3c45e2426894e2a21837360c382d

SHA256
a72391ae72124ab7b09d15ba625804247abdf3be8218040a140f03011c6d8351

SHA512
36770d2312775c08008ca0200a257e2b63872ae2bfd5e6681e5c28ab62f8ba8e587259af43d052cecf677b3b6b6db5d286fc1c08adb6d8bbabae038e004fdff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe

Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe

Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe

Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe

Filesize
334KB

MD5
21a947b4e4a65510aa9188cc950bc943

SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17

SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364

SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684

Download Submit
memory/2784-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2784-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2784-5-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2784-2-0x00000000005E0000-0x0000000000618000-memory.dmp

Filesize
224KB

Download
memory/2832-19-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/2832-20-0x00000000020F0000-0x0000000002128000-memory.dmp

Filesize
224KB

Download
memory/2832-21-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2832-26-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2832-33-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/2832-34-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads