amadey | cf5e1526355e39553fef3c7a9aa2eec02966f4432019b49553ca409e10b9c1d7

Analysis

max time kernel
143s
max time network
130s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe
Size

382KB
MD5

b2d2a10399b902efbd4c02cf2b2eac34
SHA1

13b8e3acf1ef3f549cb8c5d236edb050234006a7
SHA256

2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1
SHA512

d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a
SSDEEP

6144:a/F0Z2tsmgQT+z9ZQvBymELE4JlKZGp0LQh4U6o3T:UFM2ts5yBwE6KpE7D

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.11

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exe

pid process

2692 Utsysc.exe
1552 Utsysc.exe
1368 Utsysc.exe

pid	process
2692	Utsysc.exe
1552	Utsysc.exe
1368	Utsysc.exe

Loads dropped DLL 2 IoCs

Processes:

2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe

pid	process
2572	2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe
2572	2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2792 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe

pid process

2572 2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe

pid	process
2792	schtasks.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exeUtsysc.exetaskeng.exe

description	pid	process	target process
PID 2572 wrote to memory of 2692	2572	2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe	Utsysc.exe
PID 2572 wrote to memory of 2692	2572	2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe	Utsysc.exe
PID 2572 wrote to memory of 2692	2572	2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe	Utsysc.exe
PID 2572 wrote to memory of 2692	2572	2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe	Utsysc.exe
PID 2692 wrote to memory of 2792	2692	Utsysc.exe	schtasks.exe
PID 2692 wrote to memory of 2792	2692	Utsysc.exe	schtasks.exe
PID 2692 wrote to memory of 2792	2692	Utsysc.exe	schtasks.exe
PID 2692 wrote to memory of 2792	2692	Utsysc.exe	schtasks.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1708	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2800	2692	Utsysc.exe	rundll32.exe
PID 692 wrote to memory of 1552	692	taskeng.exe	Utsysc.exe
PID 692 wrote to memory of 1552	692	taskeng.exe	Utsysc.exe
PID 692 wrote to memory of 1552	692	taskeng.exe	Utsysc.exe
PID 692 wrote to memory of 1552	692	taskeng.exe	Utsysc.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 2284	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 2692 wrote to memory of 1736	2692	Utsysc.exe	rundll32.exe
PID 692 wrote to memory of 1368	692	taskeng.exe	Utsysc.exe
PID 692 wrote to memory of 1368	692	taskeng.exe	Utsysc.exe
PID 692 wrote to memory of 1368	692	taskeng.exe	Utsysc.exe
PID 692 wrote to memory of 1368	692	taskeng.exe	Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe
"C:\Users\Admin\AppData\Local\Temp\2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:1708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:2800

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:2284

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:1736

C:\Windows\system32\taskeng.exe
taskeng.exe {A73B50B6-355D-43A0-88A3-F3A378649757} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\425689832238

Filesize
56KB

MD5
6106c994e1384419be8c2600e8d25efb

SHA1
b682345f22ef284026419ab694c074d0bddbb80d

SHA256
227354fa8d1b04e1f874114814a27412c1979965592d9426bffe7f5f3e9d12b6

SHA512
847aacb18ae1eb508ba6b1821141e1d6c3c1200317fc4cadeb048215c55f7b021e97243ddb81ba2076a595870578267a5c6c6290ac0f2fd9c174c15744566acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
382KB

MD5
b2d2a10399b902efbd4c02cf2b2eac34

SHA1
13b8e3acf1ef3f549cb8c5d236edb050234006a7

SHA256
2bca982e0e5b82440ccd17351d5cd916a9b769bcc0fb9df3f1163ce2ab9850e1

SHA512
d5637a611bfd49cbd9eaab6f31cea0cd26c011c5c5ae7328b251df8c1455da8f7a61163f716e3bf6336c930d6452bbdbd074ede9b6a58c027e0f548bbde9419a

Download Submit
memory/1368-78-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/1368-77-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1552-57-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1552-58-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/2572-18-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2572-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/2572-2-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/2572-4-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2572-3-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2572-16-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2572-17-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/2692-53-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-55-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-20-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2692-59-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-60-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-39-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-72-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-73-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-21-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-38-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/2692-40-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download