amadey | 08e893cc397572a8f7d3871e0037027556acf986455fdace296d8d618b7a651a

General

Target

c534aca3cc4244dc3ae7bee791ee85ae.exe
Size

482KB
MD5

c534aca3cc4244dc3ae7bee791ee85ae
SHA1

58dd83c3e3b5b88d51e7392a704a08b0eb2cdfd5
SHA256

08e893cc397572a8f7d3871e0037027556acf986455fdace296d8d618b7a651a
SHA512

16d631f6b16a0e26a6ee9446db7448eeb34a5de48f2d53fab0538a4daceb4266f4459e1629e26291cba5bac9d83d2c6d289ab628d535005a7bdf54a5d51698d1
SSDEEP

12288:M+dGf/lHLV+p1wiywrLkvcbjv69D51DMCafSMV:ddUdkgQLkgK51DNaf

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes

install_dir
68fd3d7ade
install_file
Utsysc.exe
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	c534aca3cc4244dc3ae7bee791ee85ae.exe

Executes dropped EXE 4 IoCs

pid	Process
4732	Utsysc.exe
64	Utsysc.exe
3736	Utsysc.exe
2280	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1924	232	WerFault.exe	14
4308	232	WerFault.exe	14
2900	64	WerFault.exe	108
1804	64	WerFault.exe	108
2900	3736	WerFault.exe	117
4520	3736	WerFault.exe	117
2396	2280	WerFault.exe	128
4672	2280	WerFault.exe	128

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
400	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4732	232	c534aca3cc4244dc3ae7bee791ee85ae.exe	33
PID 232 wrote to memory of 4732	232	c534aca3cc4244dc3ae7bee791ee85ae.exe	33
PID 232 wrote to memory of 4732	232	c534aca3cc4244dc3ae7bee791ee85ae.exe	33
PID 4732 wrote to memory of 400	4732	Utsysc.exe	37
PID 4732 wrote to memory of 400	4732	Utsysc.exe	37
PID 4732 wrote to memory of 400	4732	Utsysc.exe	37

C:\Users\Admin\AppData\Local\Temp\c534aca3cc4244dc3ae7bee791ee85ae.exe
"C:\Users\Admin\AppData\Local\Temp\c534aca3cc4244dc3ae7bee791ee85ae.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 664
  2⤵
  - Program crash
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1440
  2⤵
  - Program crash
  PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 232 -ip 232
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 232 -ip 232
1⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
- Executes dropped EXE
PID:64
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 436
  2⤵
  - Program crash
  PID:2900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 480
  2⤵
  - Program crash
  PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 64 -ip 64
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 64 -ip 64
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
- Executes dropped EXE
PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 436
  2⤵
  - Program crash
  PID:2900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 476
  2⤵
  - Program crash
  PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3736 -ip 3736
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3736 -ip 3736
1⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
- Executes dropped EXE
PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 432
  2⤵
  - Program crash
  PID:2396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 476
  2⤵
  - Program crash
  PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2280 -ip 2280
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2280 -ip 2280
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
54KB

MD5
6fd4f7e3f65af0fc1201625904d4e240

SHA1
900075ab50a81e0278727d6aad6ded8a33d3ee50

SHA256
7f2e14e84d716e86fe4052d65d2bcea6649c421da16364706f21e4d7b90bcedf

SHA512
bbe5dc53bbde063ad7142e561e6f1572810805207624316ca468be725621080ea01f05ce28310c94252405a4d214c3adffa8768770b0dcad182c114a651ec4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
6KB

MD5
54d5d8753839ef0c175678a20eeddc54

SHA1
71911bccda34e6a8fbab132f2139f2a81548b11e

SHA256
806146f4e1c195ba98f18c6cb58d2f724346911f02ef77963a383f6fae4bacf9

SHA512
490284e074b1f519c524ee54b4323214fdc5b8557ca3c4ab7fc693e81eb57eb6a67fe3727ba36effe43e2e336c7036e4a68faaf5d1fadb29e133b00dbf9c997c

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
57KB

MD5
0c4a904e081e5036f5b1d0515a0139cb

SHA1
20db81678b2fbc0eb8978f895cec62763e420605

SHA256
ae5644ef40e8de5591990f7ec8a16258fbc07d33262bd77977955d69dd65f3e7

SHA512
7a85fafd0f4bca9382c0ad96d6bad1bd004e7f387e792033b010d9ca9738ef37a23784b62df50036defe7e1369f63de6be409732e9fe101ce7ccdf9d4596cf1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Filesize
55KB

MD5
49007cb62386ba29ee3687e8b42f9dc9

SHA1
20d8ac099c002c3d13cacf748cbeaa6be04b91ed

SHA256
375cd7713dca646fd38563923d2066c4e29ba3b599e6d32c4c8ea9de29d53ce3

SHA512
c50b46846dd96a78aab1942dc7c6d349eb4c62ffc34be992e671b0a0df8a105f74600ff155c14b905dccbd4da2f07faf551260d2e2c55d02893372b452dd0e94

Download Submit
memory/64-41-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/64-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/232-3-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/232-1-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/232-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/232-2-0x0000000002110000-0x000000000217F000-memory.dmp

Filesize
444KB

Download
memory/2280-63-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2280-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3736-52-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3736-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4732-18-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/4732-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4732-20-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4732-42-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/4732-19-0x00000000020E0000-0x000000000214F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads