amadey | 35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

General

Target

906f443ff2f5e59b38d0da12090ae17e.exe
Size

375KB
MD5

906f443ff2f5e59b38d0da12090ae17e
SHA1

1e50f93e2a49cf1325c291eb8c491e00e84e80d8
SHA256

35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd
SHA512

f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68
SSDEEP

6144:9bgwg3Zl1zv+E53TbUBdxz+xdcPX8aiirmcDtczEcmTPO3:90B1zv+2PUHJCdcfPiiyGCMW

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exe

pid process

2828 Utsysc.exe
1252 Utsysc.exe
2288 Utsysc.exe
Loads dropped DLL 2 IoCs

Processes:

906f443ff2f5e59b38d0da12090ae17e.exe

pid process

1924 906f443ff2f5e59b38d0da12090ae17e.exe
1924 906f443ff2f5e59b38d0da12090ae17e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2108 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

906f443ff2f5e59b38d0da12090ae17e.exe

pid process

1924 906f443ff2f5e59b38d0da12090ae17e.exe

pid	process
2828	Utsysc.exe
1252	Utsysc.exe
2288	Utsysc.exe

pid	process
1924	906f443ff2f5e59b38d0da12090ae17e.exe
1924	906f443ff2f5e59b38d0da12090ae17e.exe

pid	process
2108	schtasks.exe

pid	process
1924	906f443ff2f5e59b38d0da12090ae17e.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

906f443ff2f5e59b38d0da12090ae17e.exeUtsysc.exetaskeng.exe

description	pid	process	target process
PID 1924 wrote to memory of 2828	1924	906f443ff2f5e59b38d0da12090ae17e.exe	Utsysc.exe
PID 1924 wrote to memory of 2828	1924	906f443ff2f5e59b38d0da12090ae17e.exe	Utsysc.exe
PID 1924 wrote to memory of 2828	1924	906f443ff2f5e59b38d0da12090ae17e.exe	Utsysc.exe
PID 1924 wrote to memory of 2828	1924	906f443ff2f5e59b38d0da12090ae17e.exe	Utsysc.exe
PID 2828 wrote to memory of 2108	2828	Utsysc.exe	schtasks.exe
PID 2828 wrote to memory of 2108	2828	Utsysc.exe	schtasks.exe
PID 2828 wrote to memory of 2108	2828	Utsysc.exe	schtasks.exe
PID 2828 wrote to memory of 2108	2828	Utsysc.exe	schtasks.exe
PID 1796 wrote to memory of 1252	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 1252	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 1252	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 1252	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 2288	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 2288	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 2288	1796	taskeng.exe	Utsysc.exe
PID 1796 wrote to memory of 2288	1796	taskeng.exe	Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\906f443ff2f5e59b38d0da12090ae17e.exe
"C:\Users\Admin\AppData\Local\Temp\906f443ff2f5e59b38d0da12090ae17e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\taskeng.exe
taskeng.exe {BFA0442A-F870-469F-A15D-085903677FD9} S-1-5-21-1514849007-2165033493-4114354048-1000:NOCBBDMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1252

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\514849007216

Filesize
65KB

MD5
caa8c67e7b5ce3f859d3c1f0b6760fb3

SHA1
01ae970eb289c029b14a7a182e8f23e5e722462b

SHA256
ceaa944de50638c687487196b60818e4e63d4cf0404ddc09ad6ccd6803ec1d13

SHA512
8dc1fa041bc2991709cfc9d50685f5415141bb0ab5a4490ff80c9ad47c6047667e609b92028cd5e83f0620b87e2307027f9b916a76a72a1b9b4fb2c4872cb9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
memory/1252-45-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/1252-44-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1252-43-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download
memory/1924-19-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1924-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1924-6-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/1924-7-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1924-2-0x0000000002350000-0x00000000023BC000-memory.dmp

Filesize
432KB

Download
memory/1924-16-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/1924-18-0x0000000002350000-0x00000000023BC000-memory.dmp

Filesize
432KB

Download
memory/2288-58-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/2288-57-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2288-61-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2828-33-0x0000000000D60000-0x0000000000E60000-memory.dmp

Filesize
1024KB

Download
memory/2828-42-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2828-32-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2828-27-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2828-20-0x0000000000D60000-0x0000000000E60000-memory.dmp

Filesize
1024KB

Download
memory/2828-49-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2828-22-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/2828-60-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads