amadey | 27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

Analysis

max time kernel
96s
max time network
126s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f9442ad19be16ace51c67635d2435de.exe
Size

446KB
MD5

9f9442ad19be16ace51c67635d2435de
SHA1

b328a6d18a31534def5f4f9adda9f3da3644f933
SHA256

27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503
SHA512

8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e
SSDEEP

6144:KvEuSnngHwAALG8LRWTyeL1QegNZz9YfoRzMp:AEuonewXRt6KT9jp

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.11

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 2 IoCs

Processes:

Utsysc.exeUtsysc.exe

pid process

2304 Utsysc.exe
2944 Utsysc.exe
Loads dropped DLL 2 IoCs

Processes:

9f9442ad19be16ace51c67635d2435de.exe

pid process

1652 9f9442ad19be16ace51c67635d2435de.exe
1652 9f9442ad19be16ace51c67635d2435de.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2724 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9f9442ad19be16ace51c67635d2435de.exe

pid process

1652 9f9442ad19be16ace51c67635d2435de.exe

pid	process
2304	Utsysc.exe
2944	Utsysc.exe

pid	process
1652	9f9442ad19be16ace51c67635d2435de.exe
1652	9f9442ad19be16ace51c67635d2435de.exe

pid	process
2724	schtasks.exe

pid	process
1652	9f9442ad19be16ace51c67635d2435de.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

9f9442ad19be16ace51c67635d2435de.exeUtsysc.exetaskeng.exe

description	pid	process	target process
PID 1652 wrote to memory of 2304	1652	9f9442ad19be16ace51c67635d2435de.exe	Utsysc.exe
PID 1652 wrote to memory of 2304	1652	9f9442ad19be16ace51c67635d2435de.exe	Utsysc.exe
PID 1652 wrote to memory of 2304	1652	9f9442ad19be16ace51c67635d2435de.exe	Utsysc.exe
PID 1652 wrote to memory of 2304	1652	9f9442ad19be16ace51c67635d2435de.exe	Utsysc.exe
PID 2304 wrote to memory of 2724	2304	Utsysc.exe	schtasks.exe
PID 2304 wrote to memory of 2724	2304	Utsysc.exe	schtasks.exe
PID 2304 wrote to memory of 2724	2304	Utsysc.exe	schtasks.exe
PID 2304 wrote to memory of 2724	2304	Utsysc.exe	schtasks.exe
PID 2884 wrote to memory of 2944	2884	taskeng.exe	Utsysc.exe
PID 2884 wrote to memory of 2944	2884	taskeng.exe	Utsysc.exe
PID 2884 wrote to memory of 2944	2884	taskeng.exe	Utsysc.exe
PID 2884 wrote to memory of 2944	2884	taskeng.exe	Utsysc.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1760	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe
PID 2304 wrote to memory of 1200	2304	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9f9442ad19be16ace51c67635d2435de.exe
"C:\Users\Admin\AppData\Local\Temp\9f9442ad19be16ace51c67635d2435de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2724

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:1760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:1200

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:1516

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:2024

C:\Windows\system32\taskeng.exe
taskeng.exe {1401E08A-B64E-4379-8838-D479399A51E2} S-1-5-21-1514849007-2165033493-4114354048-1000:NOCBBDMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2944

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\514849007216
Filesize
64KB

MD5
367ddee6ca592f85f9802a9c55a0b56b

SHA1
db4cd40b4f818b97aacd32ccde442f8ecd8f54a8

SHA256
f0e7e860a1b598fb16d9e155923cc56ed65421dcc6f4d4b2d3532b8f255635c0

SHA512
4c05f6b4d6e169301549cda9f2b4133a0079e89bce190ebbf6772b3afc075c6ab0b2bbba4b3e3819126b8c38a7aba6b1c9b3f2fdf06ba9cacbf94812886d6792

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
446KB

MD5
9f9442ad19be16ace51c67635d2435de

SHA1
b328a6d18a31534def5f4f9adda9f3da3644f933

SHA256
27ad905e0fa63d89cb28e5079d24b1551ecbc7b969ac9499a07e34a187837503

SHA512
8c9bca45e7d85e8ade121efed260846b1cd05c6917fc70007a61189efae7c8ab34a913127bd21f382a4d0ab5f7de1556bb0acfc769756a501e6e21597a0d357e

Download Submit
memory/1336-75-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/1336-76-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/1652-3-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/1652-1-0x0000000000CE0000-0x0000000000DE0000-memory.dmp

Filesize
1024KB

Download
memory/1652-17-0x0000000000B00000-0x0000000000B6C000-memory.dmp

Filesize
432KB

Download
memory/1652-2-0x0000000000B00000-0x0000000000B6C000-memory.dmp

Filesize
432KB

Download
memory/1652-16-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/1652-4-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2304-39-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-60-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-77-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-56-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-57-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-19-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/2304-59-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-20-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-38-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/2304-72-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2304-37-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2944-44-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2944-58-0x0000000000400000-0x0000000000892000-memory.dmp

Filesize
4.6MB

Download
memory/2944-45-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download