amadey | b87d85642157799389b8dec9910236df80952b575f5f2abf6eab5681bfdf8b82

General

Target

35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
Size

375KB
MD5

906f443ff2f5e59b38d0da12090ae17e
SHA1

1e50f93e2a49cf1325c291eb8c491e00e84e80d8
SHA256

35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd
SHA512

f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68
SSDEEP

6144:9bgwg3Zl1zv+E53TbUBdxz+xdcPX8aiirmcDtczEcmTPO3:90B1zv+2PUHJCdcfPiiyGCMW

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

Utsysc.exe

pid process

4668 Utsysc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4668	Utsysc.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1920	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
804	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
2500	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
4432	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
3276	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
3052	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
992	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
1084	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
3416	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
1624	5324	WerFault.exe	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
2156	4668	WerFault.exe	Utsysc.exe
6128	4668	WerFault.exe	Utsysc.exe
5724	4668	WerFault.exe	Utsysc.exe
6120	4668	WerFault.exe	Utsysc.exe
5596	4668	WerFault.exe	Utsysc.exe
952	4668	WerFault.exe	Utsysc.exe
964	4668	WerFault.exe	Utsysc.exe
548	4668	WerFault.exe	Utsysc.exe
5628	4668	WerFault.exe	Utsysc.exe
5268	4668	WerFault.exe	Utsysc.exe
3300	4668	WerFault.exe	Utsysc.exe
5388	4668	WerFault.exe	Utsysc.exe
2388	4668	WerFault.exe	Utsysc.exe
5768	4668	WerFault.exe	Utsysc.exe
5644	4668	WerFault.exe	Utsysc.exe
4752	4668	WerFault.exe	Utsysc.exe
5956	4668	WerFault.exe	Utsysc.exe
3748	4668	WerFault.exe	Utsysc.exe
3700	4668	WerFault.exe	Utsysc.exe
416	4668	WerFault.exe	Utsysc.exe
3840	4668	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5284 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe

pid process

5324 35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe

pid	process
5284	schtasks.exe

pid	process
5324	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exeUtsysc.exe

description	pid	process	target process
PID 5324 wrote to memory of 4668	5324	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe	Utsysc.exe
PID 5324 wrote to memory of 4668	5324	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe	Utsysc.exe
PID 5324 wrote to memory of 4668	5324	35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe	Utsysc.exe
PID 4668 wrote to memory of 5284	4668	Utsysc.exe	schtasks.exe
PID 4668 wrote to memory of 5284	4668	Utsysc.exe	schtasks.exe
PID 4668 wrote to memory of 5284	4668	Utsysc.exe	schtasks.exe
PID 4668 wrote to memory of 3060	4668	Utsysc.exe	rundll32.exe
PID 4668 wrote to memory of 3060	4668	Utsysc.exe	rundll32.exe
PID 4668 wrote to memory of 3060	4668	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe
"C:\Users\Admin\AppData\Local\Temp\35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 616
2⤵
- Program crash
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 688
2⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 756
2⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 868
2⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 756
2⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 884
2⤵
- Program crash
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1000
2⤵
- Program crash
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1012
2⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1048
2⤵
- Program crash
PID:3416

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 632
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 824
3⤵
- Program crash
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 880
3⤵
- Program crash
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1032
3⤵
- Program crash
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1040
3⤵
- Program crash
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1052
3⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1116
3⤵
- Program crash
PID:964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 892
3⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 720
3⤵
- Program crash
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1272
3⤵
- Program crash
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1280
3⤵
- Program crash
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 932
3⤵
- Program crash
PID:5388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 928
3⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1272
3⤵
- Program crash
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1296
3⤵
- Program crash
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1472
3⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1560
3⤵
- Program crash
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1544
3⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1548
3⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1096
3⤵
- Program crash
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1808
3⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1252
2⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5324 -ip 5324
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5324 -ip 5324
1⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5324 -ip 5324
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5324 -ip 5324
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5324 -ip 5324
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5324 -ip 5324
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5324 -ip 5324
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5324 -ip 5324
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5324 -ip 5324
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5324 -ip 5324
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4668 -ip 4668
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
1⤵
PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4668 -ip 4668
1⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4668 -ip 4668
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4668 -ip 4668
1⤵
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4668 -ip 4668
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4668 -ip 4668
1⤵
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4668 -ip 4668
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4668 -ip 4668
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4668 -ip 4668
1⤵
PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4668 -ip 4668
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4668 -ip 4668
1⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4668 -ip 4668
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4668 -ip 4668
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4668 -ip 4668
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4668 -ip 4668
1⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4668 -ip 4668
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4668 -ip 4668
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4668 -ip 4668
1⤵
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\484251756281
Filesize
76KB

MD5
60daa4697963cae849c549c9d3cd3f66

SHA1
a717fab122442e0e1d2f5b0168d5ab34d4c36028

SHA256
130f3164ccde4aeeb54ff048773796d363a5d2b4de87bf5fda35988451c92c6a

SHA512
1113ac22f93bab78d1da108b7f53fa4ad3af774d41908a10237efb1bea59cb254709235dbefb0d3b4464c7c3c6e135fea07837816bda42f7cf63cb017700c6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
375KB

MD5
906f443ff2f5e59b38d0da12090ae17e

SHA1
1e50f93e2a49cf1325c291eb8c491e00e84e80d8

SHA256
35444ec8434846a91960534af1f3cf875096c4c5aa869e7612a06327ddf616bd

SHA512
f4238ff549af3e0a20e53a98680de3b00db296aaf733f60992d9c7738f46febad44f4214b683c422f3dfd04d4389f3956e8076ffb6c13faa0be46e80c6012b68

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
memory/4668-20-0x0000000000EC0000-0x0000000000FC0000-memory.dmp

Filesize
1024KB

Download
memory/4668-21-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/4668-26-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/4668-38-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/4668-39-0x0000000000EC0000-0x0000000000FC0000-memory.dmp

Filesize
1024KB

Download
memory/4668-52-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/5324-18-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/5324-1-0x0000000000D20000-0x0000000000E20000-memory.dmp

Filesize
1024KB

Download
memory/5324-19-0x0000000002A10000-0x0000000002A7C000-memory.dmp

Filesize
432KB

Download
memory/5324-3-0x0000000000400000-0x0000000000BB8000-memory.dmp

Filesize
7.7MB

Download
memory/5324-2-0x0000000002A10000-0x0000000002A7C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads