amadey | 08e893cc397572a8f7d3871e0037027556acf986455fdace296d8d618b7a651a

General

Target

c534aca3cc4244dc3ae7bee791ee85ae.exe
Size

482KB
MD5

c534aca3cc4244dc3ae7bee791ee85ae
SHA1

58dd83c3e3b5b88d51e7392a704a08b0eb2cdfd5
SHA256

08e893cc397572a8f7d3871e0037027556acf986455fdace296d8d618b7a651a
SHA512

16d631f6b16a0e26a6ee9446db7448eeb34a5de48f2d53fab0538a4daceb4266f4459e1629e26291cba5bac9d83d2c6d289ab628d535005a7bdf54a5d51698d1
SSDEEP

12288:M+dGf/lHLV+p1wiywrLkvcbjv69D51DMCafSMV:ddUdkgQLkgK51DNaf

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2460	Utsysc.exe
240	Utsysc.exe
1084	Utsysc.exe
1620	Utsysc.exe

Loads dropped DLL 2 IoCs

pid	Process
776	c534aca3cc4244dc3ae7bee791ee85ae.exe
776	c534aca3cc4244dc3ae7bee791ee85ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
776	c534aca3cc4244dc3ae7bee791ee85ae.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2460	776	c534aca3cc4244dc3ae7bee791ee85ae.exe	28
PID 776 wrote to memory of 2460	776	c534aca3cc4244dc3ae7bee791ee85ae.exe	28
PID 776 wrote to memory of 2460	776	c534aca3cc4244dc3ae7bee791ee85ae.exe	28
PID 776 wrote to memory of 2460	776	c534aca3cc4244dc3ae7bee791ee85ae.exe	28
PID 2460 wrote to memory of 2784	2460	Utsysc.exe	29
PID 2460 wrote to memory of 2784	2460	Utsysc.exe	29
PID 2460 wrote to memory of 2784	2460	Utsysc.exe	29
PID 2460 wrote to memory of 2784	2460	Utsysc.exe	29
PID 1080 wrote to memory of 240	1080	taskeng.exe	33
PID 1080 wrote to memory of 240	1080	taskeng.exe	33
PID 1080 wrote to memory of 240	1080	taskeng.exe	33
PID 1080 wrote to memory of 240	1080	taskeng.exe	33
PID 1080 wrote to memory of 1084	1080	taskeng.exe	36
PID 1080 wrote to memory of 1084	1080	taskeng.exe	36
PID 1080 wrote to memory of 1084	1080	taskeng.exe	36
PID 1080 wrote to memory of 1084	1080	taskeng.exe	36
PID 1080 wrote to memory of 1620	1080	taskeng.exe	37
PID 1080 wrote to memory of 1620	1080	taskeng.exe	37
PID 1080 wrote to memory of 1620	1080	taskeng.exe	37
PID 1080 wrote to memory of 1620	1080	taskeng.exe	37

C:\Users\Admin\AppData\Local\Temp\c534aca3cc4244dc3ae7bee791ee85ae.exe
"C:\Users\Admin\AppData\Local\Temp\c534aca3cc4244dc3ae7bee791ee85ae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2784

C:\Windows\system32\taskeng.exe
taskeng.exe {29622D4A-E327-448E-A955-9B6C29E25BC4} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\427588347149

Filesize
71KB

MD5
fbf0ff51191d0c5343cb94142aa1ed88

SHA1
100966b06d8722adde33c370ebb9272b8f58f05f

SHA256
19afae68de89c6c0b375d975dcd85a77946b127ebec91c9ec1d3927cc955206d

SHA512
c5183ea989edd0bcff8ef6c75328fbe73ab7df2308c5aaeabde2b61593b5c6a9f9310c933898634d08c538986dc0c32d0836c4f991cfd7c533486d216105c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
482KB

MD5
c534aca3cc4244dc3ae7bee791ee85ae

SHA1
58dd83c3e3b5b88d51e7392a704a08b0eb2cdfd5

SHA256
08e893cc397572a8f7d3871e0037027556acf986455fdace296d8d618b7a651a

SHA512
16d631f6b16a0e26a6ee9446db7448eeb34a5de48f2d53fab0538a4daceb4266f4459e1629e26291cba5bac9d83d2c6d289ab628d535005a7bdf54a5d51698d1

Download Submit
memory/240-47-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/240-42-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/240-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/776-16-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/776-2-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/776-18-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/776-17-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/776-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/776-4-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/776-3-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1084-55-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1084-54-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1620-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1620-65-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2460-21-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2460-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2460-43-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/2460-31-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2460-20-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads