amadey | 29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
03-12-2023 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c963942b7b60bf1352d07f136ce4d5f0.exe
Size

453KB
MD5

c963942b7b60bf1352d07f136ce4d5f0
SHA1

7bafedd3874b3f1ebc6d668ee90fa8f58a020370
SHA256

29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3
SHA512

ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb
SSDEEP

6144:JWithdJ7T88JJdDkELkbO+IAGkqOjIHROoSvdZ1m4TzzWCB/ZiaM:Mi1JfbJJd4O+IAGFcSROZZ1lD7B8aM

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://77.91.76.37

Attributes

install_dir
c508585d38
install_file
Utsysc.exe
strings_key
c736fd5bdd26ef77013837dee2004742
url_paths
/g8samsA2/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

2740 Utsysc.exe
2344 Utsysc.exe
1648 Utsysc.exe
1840 Utsysc.exe
Loads dropped DLL 2 IoCs

Processes:

c963942b7b60bf1352d07f136ce4d5f0.exe

pid process

1972 c963942b7b60bf1352d07f136ce4d5f0.exe
1972 c963942b7b60bf1352d07f136ce4d5f0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2356 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c963942b7b60bf1352d07f136ce4d5f0.exe

pid process

1972 c963942b7b60bf1352d07f136ce4d5f0.exe

pid	process
2740	Utsysc.exe
2344	Utsysc.exe
1648	Utsysc.exe
1840	Utsysc.exe

pid	process
1972	c963942b7b60bf1352d07f136ce4d5f0.exe
1972	c963942b7b60bf1352d07f136ce4d5f0.exe

pid	process
2356	schtasks.exe

pid	process
1972	c963942b7b60bf1352d07f136ce4d5f0.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c963942b7b60bf1352d07f136ce4d5f0.exeUtsysc.exetaskeng.exe

description	pid	process	target process
PID 1972 wrote to memory of 2740	1972	c963942b7b60bf1352d07f136ce4d5f0.exe	Utsysc.exe
PID 1972 wrote to memory of 2740	1972	c963942b7b60bf1352d07f136ce4d5f0.exe	Utsysc.exe
PID 1972 wrote to memory of 2740	1972	c963942b7b60bf1352d07f136ce4d5f0.exe	Utsysc.exe
PID 1972 wrote to memory of 2740	1972	c963942b7b60bf1352d07f136ce4d5f0.exe	Utsysc.exe
PID 2740 wrote to memory of 2356	2740	Utsysc.exe	schtasks.exe
PID 2740 wrote to memory of 2356	2740	Utsysc.exe	schtasks.exe
PID 2740 wrote to memory of 2356	2740	Utsysc.exe	schtasks.exe
PID 2740 wrote to memory of 2356	2740	Utsysc.exe	schtasks.exe
PID 2712 wrote to memory of 2344	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 2344	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 2344	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 2344	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1648	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1648	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1648	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1648	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1840	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1840	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1840	2712	taskeng.exe	Utsysc.exe
PID 2712 wrote to memory of 1840	2712	taskeng.exe	Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\c963942b7b60bf1352d07f136ce4d5f0.exe
"C:\Users\Admin\AppData\Local\Temp\c963942b7b60bf1352d07f136ce4d5f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\taskeng.exe
taskeng.exe {2D6A5589-CBC1-46C8-A965-9DD1DC7EC016} S-1-5-21-1502336823-1680518048-858510903-1000:XARGEIVJ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\502336823168

Filesize
63KB

MD5
1329799c448888d13d4b106a209d48fd

SHA1
16d773aee1296b820e9660581df6fa8feba269f8

SHA256
16f4d5672352366dd8e4aab0db33b0392eb5ab7c4ab529494405f9ff13b6e6dc

SHA512
f767bd0c7db445c5c5f30d843962f20be5c135da2815a71f082cb2e594594d9ff9299784a26191642af4ac62710652d7890d649c9430cf0015116d32ea0282db

Download Submit
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
\Users\Admin\AppData\Local\Temp\c508585d38\Utsysc.exe

Filesize
453KB

MD5
c963942b7b60bf1352d07f136ce4d5f0

SHA1
7bafedd3874b3f1ebc6d668ee90fa8f58a020370

SHA256
29b841e7b3965ad49e90253946da782bd0c82c42691f3d02811c75ae08df76f3

SHA512
ff1673b3a8df1a25c8dafc1b21ff3ac72b917d51497d447992e3143f58c5df2815fcc89d506a0af6cca7f92b8f065d4e3143bc423f17feae26d68b527e977ccb

Download Submit
memory/1648-47-0x0000000000870000-0x00000000008DF000-memory.dmp

Filesize
444KB

Download
memory/1648-48-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1648-46-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/1840-57-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1840-58-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1972-16-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1972-17-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/1972-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/1972-3-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1972-4-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1972-2-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/2344-30-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2344-35-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2344-29-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2344-28-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2740-20-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2740-19-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/2740-42-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2740-51-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2740-33-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/2740-32-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/2740-31-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download