amadey | 5b0f7bd234a96f0b698934d62cfe770b554a3b71b65b7fad575008e6f0c55bd5

Analysis

max time kernel
142s
max time network
132s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe
Size

446KB
MD5

3ac2f0cfc97ded7bda31835e5cc2ec7e
SHA1

deac90c7ef3340bff2e315e229dd9e2f752115f2
SHA256

74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9
SHA512

f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8
SSDEEP

6144:bfu0eE6pn1nurt22Sle//O6+GsMFGV5iLXr9i49Ep6Dh:1eEonurt22R/GMkbIrM4y8Dh

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.11

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exe

pid process

2764 Utsysc.exe
1100 Utsysc.exe
2044 Utsysc.exe

pid	process
2764	Utsysc.exe
1100	Utsysc.exe
2044	Utsysc.exe

Loads dropped DLL 2 IoCs

Processes:

74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe

pid	process
2340	74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe
2340	74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2300 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe

pid process

2340 74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe

pid	process
2300	schtasks.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exeUtsysc.exetaskeng.exe

description	pid	process	target process
PID 2340 wrote to memory of 2764	2340	74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe	Utsysc.exe
PID 2340 wrote to memory of 2764	2340	74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe	Utsysc.exe
PID 2340 wrote to memory of 2764	2340	74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe	Utsysc.exe
PID 2340 wrote to memory of 2764	2340	74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe	Utsysc.exe
PID 2764 wrote to memory of 2300	2764	Utsysc.exe	schtasks.exe
PID 2764 wrote to memory of 2300	2764	Utsysc.exe	schtasks.exe
PID 2764 wrote to memory of 2300	2764	Utsysc.exe	schtasks.exe
PID 2764 wrote to memory of 2300	2764	Utsysc.exe	schtasks.exe
PID 1900 wrote to memory of 1100	1900	taskeng.exe	Utsysc.exe
PID 1900 wrote to memory of 1100	1900	taskeng.exe	Utsysc.exe
PID 1900 wrote to memory of 1100	1900	taskeng.exe	Utsysc.exe
PID 1900 wrote to memory of 1100	1900	taskeng.exe	Utsysc.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 620	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1388	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 2976	2764	Utsysc.exe	rundll32.exe
PID 1900 wrote to memory of 2044	1900	taskeng.exe	Utsysc.exe
PID 1900 wrote to memory of 2044	1900	taskeng.exe	Utsysc.exe
PID 1900 wrote to memory of 2044	1900	taskeng.exe	Utsysc.exe
PID 1900 wrote to memory of 2044	1900	taskeng.exe	Utsysc.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe
PID 2764 wrote to memory of 1952	2764	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe
"C:\Users\Admin\AppData\Local\Temp\74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:620

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:1388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:2976

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:1952

C:\Windows\system32\taskeng.exe
taskeng.exe {DA71E30B-E0C9-4DFE-ABCD-C3167265F016} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\085049433106

Filesize
71KB

MD5
d020301e1f7a1e2abf8fd4a598555112

SHA1
8c10fbcab6ea80126e5d0d6fb618b9d7f497765f

SHA256
9d619c3fbf39faa7a7008aff2e646d7796560add8b7d7fb31a7c6fb4af0b3aaa

SHA512
6d933df9976c3434b0f175c4887d1dcfac503cb8a25b19e173980f77b39f9d2bdd0e19931a2f8295c6e114379f77558e649b23873ff52d95af79af011dddfdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
446KB

MD5
3ac2f0cfc97ded7bda31835e5cc2ec7e

SHA1
deac90c7ef3340bff2e315e229dd9e2f752115f2

SHA256
74ec10cbe8c630cd75807e89022da49876ea04bf76c3bea536c61b5cd36be0a9

SHA512
f8b6395e7f40334123f2e6f0fe53bf1e9db7db3516a73e9e6f3aead317849bb7fa6eeadfb938b3cce50eea9dfbe602d106a6adef584845da0c41d5e962a399d8

Download Submit
memory/1100-46-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/1100-45-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2044-74-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2044-76-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/2340-3-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2340-1-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/2340-4-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x0000000000240000-0x00000000002AC000-memory.dmp

Filesize
432KB

Download
memory/2340-19-0x0000000000240000-0x00000000002AC000-memory.dmp

Filesize
432KB

Download
memory/2340-18-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/2340-16-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-39-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-57-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-58-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-59-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-60-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-40-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2764-38-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-75-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-21-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download
memory/2764-20-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2764-77-0x0000000000400000-0x0000000000890000-memory.dmp

Filesize
4.6MB

Download