Overview

overview

10

Static

static

10

f169750c92...18.exe

windows7-x64

10

f169750c92...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2023 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f169750c922fd27298748f97c1a9e2b8442fb4d2d5d85f35f61528c4df6b3718.exe

  • Size

    425KB

  • MD5

    b0aa0a177f2193739bb3ee81245dbe67

  • SHA1

    683cc9723ede300b072d2124c031d7dd0a0cf472

  • SHA256

    f169750c922fd27298748f97c1a9e2b8442fb4d2d5d85f35f61528c4df6b3718

  • SHA512

    cccfab49f7669895f6404417299ca022876f2e904e3cb25eb6d0af00b46e56ceebf1f9e3ac04c427bce4cac423e7d77f28a57e1f435624777ba8b51d45ccd692

  • SSDEEP

    12288:bSIX87D533xNzxb9XdEpxDYsF4m98uH+WYcCF:S7D533xNzl9N+YOD/CF

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com
Attributes
  • install_dir

    d4dd819322

  • install_file

    Utsysc.exe

  • strings_key

    8419b3024d6f72beef8af6915e592308

  • url_paths

    /forum/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f169750c922fd27298748f97c1a9e2b8442fb4d2d5d85f35f61528c4df6b3718.exe
    "C:\Users\Admin\AppData\Local\Temp\f169750c922fd27298748f97c1a9e2b8442fb4d2d5d85f35f61528c4df6b3718.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
      "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:544
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        3⤵
          PID:1376
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
          3⤵
            PID:3832
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
            3⤵
              PID:3960
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
              3⤵
                PID:3048
          • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            1⤵
            • Executes dropped EXE
            PID:4088
          • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            1⤵
            • Executes dropped EXE
            PID:1560

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\635043082297
            Filesize

            78KB

            MD5

            98376be132caf49beb999be180c5f581

            SHA1

            5f90a879256895a9232fbb45bf732869792e4a43

            SHA256

            86269a5f0d03e56bd83748c12d227c75af72a95862f72898ec9c5bf2aca65b03

            SHA512

            11b95eecb1135498c8fe989cec450c7aa513f0854c77a39c9206d4d358febd1607dd3f958d89830b4bf7d97020d45941148eca53c5fb9e32fe223b83c406f828

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            Filesize

            425KB

            MD5

            b0aa0a177f2193739bb3ee81245dbe67

            SHA1

            683cc9723ede300b072d2124c031d7dd0a0cf472

            SHA256

            f169750c922fd27298748f97c1a9e2b8442fb4d2d5d85f35f61528c4df6b3718

            SHA512

            cccfab49f7669895f6404417299ca022876f2e904e3cb25eb6d0af00b46e56ceebf1f9e3ac04c427bce4cac423e7d77f28a57e1f435624777ba8b51d45ccd692

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            Filesize

            256KB

            MD5

            6c560cbc082455c74fd6e2f668ed539f

            SHA1

            3894f25dfad4de9de1fcf17daa0c8fb85915033e

            SHA256

            6515ffbc04c150dff779ae80eee776534433a5887b5a919ce050da3e0dd8d782

            SHA512

            9e926684dab887b76858a039166d38b97a9d2f93da541017a9c715196d5c92189ccc1df1eee7b846d51832a01484e574cb53fe9286f1cf78bd5a9f9f8b74e670

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
            Filesize

            128KB

            MD5

            c5555e4ec0941cd9abf86b8ad14d82be

            SHA1

            addd26a1607b31950466f4324467af8375cec9bc

            SHA256

            a4ded7a82aecd6df0ee25040e604c6cffa1ce165c6b6ef2b673c799fb566f84e

            SHA512

            81d6cd6a21eabeedf76380d6fae2e70e2eff03dbd21c78a6a182c51b714f47026c6c7e4fd4f365da017351d1e4f031b2b06620908a7e0b9b6d716ce9228cc02b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
            Filesize

            66KB

            MD5

            9b0507b53287ffe4c3af7ea8413b3998

            SHA1

            a042a1973f9714866e8156a8f714926c2bb02b3f

            SHA256

            70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

            SHA512

            a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

            Download Submit