amadey | f108a2310bfa3944ed7b92e43f6a78ced3e5aa3cef8be4f449cda3869d68e28c

Analysis

max time kernel
1s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5911df5268fa5f853dbe7e272d673ebdd24d37359191f8c2e49da523337629e9.exe
Size

5.5MB
MD5

cb85b05afe9130e35937697c56d1fd4a
SHA1

7ea967e29ea21ac034ca3feedaaf3ed7937156a4
SHA256

5911df5268fa5f853dbe7e272d673ebdd24d37359191f8c2e49da523337629e9
SHA512

300e3db569eb0dc56f8f8a9fb07dc9c7df727984c669dc41af6a243d92b7b3517e254cf6b8e2c141d700910e73f1a30b6b73503e1c57f915f492802a313be68c
SSDEEP

98304:BJsdjJqCh/sR/+jG2TNjE5jvJgB5NpZUVYEgSO1ib0y0HxaT5e4xBo5pUXdALaQb:sdjJqY/sRcTNjyxq5QYFRtHxaIYacXdU

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://185.172.128.5

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Extracted

Family

amadey

http://185.172.128.5

Attributes

strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1528	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5911df5268fa5f853dbe7e272d673ebdd24d37359191f8c2e49da523337629e9.exe
"C:\Users\Admin\AppData\Local\Temp\5911df5268fa5f853dbe7e272d673ebdd24d37359191f8c2e49da523337629e9.exe"
1⤵
PID:4876
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1528
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    PID:4080
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      PID:3356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\683043812824_Desktop.zip' -CompressionLevel Optimal
        5⤵
        
        PID:3660
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    PID:2772

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
8KB

MD5
31b3d33fcce52e9bdbd073e4b21bf478

SHA1
7eccd06fd3121ecf7d4341b009f978343a63c875

SHA256
1a526670a04d58ba6b55709a41dda5218cd79b33c4b6a588fff4cf850ac3487f

SHA512
f9c8ffd92f73b9ba6fce481163c40353fb5127166a5004074ecd984770f250ab2231a7a182e3f66be0c57d5acdbc2d0c8deb5b698f2c0f1e4dd1fcae4eee8494

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
2.2MB

MD5
43b3d831d70caaf7df7e22d15923eb54

SHA1
227e19467969304556eccc945dc16e74e5670999

SHA256
5e6848947cc74e66e36b6bbc667c3b0f3f40e5d42e961e14469b84eb576d5b44

SHA512
12e699cdfde7e811a708691c08dd57aea19348d2ee6f7ee1054e501dff84a7596dadc7cee2a565398e1d167eda0a3007e13224d17b86f9e99c0e1851fc7f8d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
8KB

MD5
2488ddd48533acb81439b71f514f02b1

SHA1
1266048bef401e6f3f5f78950aef6e11965255d1

SHA256
5013a2a38c11e467af66d160d7ea8fe5232202d9febc387971794c20a3caca92

SHA512
d87c001776c44957574965f0195657794d6e7b26b23a9ab645ac25e9a1ee19af00c052659c2a5549fb7666c9d7f43f592041ee66751794e8664cb06aac3b1a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
11KB

MD5
d4d5298ef55c39b06d36f51fe973d86e

SHA1
5c443bc10e456c87fbd9fb7aed9c54672f7fc756

SHA256
e25572752e6b4453937501f25e5532c2b0baa3c498b552a45cddd7c025fef9fa

SHA512
dd6f4dd790fbb5c756f6d2000944c315f6cfa2c0a89b4947fc3435ca9f9a25d5c4a26975d176be5a770a02f2c659e1d61933a25f3128e2ab0f7ba6a7ee8dd234

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
2.8MB

MD5
1b0dac5a4873a1eefe4c678287702c5c

SHA1
9a31d4410c82c1b58b81f88e0e6a6fd12ef7d5a2

SHA256
23f2f151d6559d8ab432d4e51152498180e1840446620b872987c94bcca2cebb

SHA512
7aacb15f8963c6a3fa191609b1fc3559ffd11fb550c6fae1ac821addae9b114fe8bb1549c52c9351c8a7df7688826eb9df1cf36173b0bee1553667e34e26c076

Download Submit
C:\Users\Admin\AppData\Local\Temp\683043812824

Filesize
12KB

MD5
3592f3596b8a33adbf7dc681e0382de9

SHA1
cb1c22c1bbee46b1456d5333420c5480952ec86f

SHA256
1a27bbc4afc459287c44fdc074cbd7c5f8fc31356e94228ad30dd2bf4e896e5d

SHA512
97f2908738c53ab85aabef9c667d2d172d2aae515b9a88d37f2163c21140ca215c7fe5d95f662b56d5fa48faed9f337858ef904aeba5f6154494358faff34938

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbafsb5r.up5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
13KB

MD5
ed62ed7cf1b96543fed306552fcec78b

SHA1
de5cee5e8d03000a8d3efd7e58afb3f55f99d806

SHA256
165396021033a921f5b89353ba9964b158f60199b11d143225cda2e6c9792a9c

SHA512
d43b5b1ccde9488d8a46118031abea0a2b1865227941e83db1daaf09a7383b792f85941fc048c6d864dc757d6c71346d45e7c1fdb4766122b84e57febd953274

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
33KB

MD5
fd355c8aa89472d4965a06532eff5275

SHA1
103c32ce1c976725d3685e3d17b196734d0d13cb

SHA256
d7335449ed361ee18ab25dcedda617f9769948e320d7d3aa5a63013003277a90

SHA512
1bdd35cf0343996ee098c17b99d08ec737373c0a82173af64c61de02db2f4daabd82b33e400a0f9eb5c190d4fa4e3925b4b79b1454424f93b93b4e8f7d79d503

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
102KB

MD5
c06513af505f65393b4ebcd2a11a2ee4

SHA1
6e9e8a6b93fc9afbcc781790881d821b0bfb0821

SHA256
f5d35a2366cf13312a30c9384f1ac30d9dc9ced46fa6b1b9c2d0621493cc2495

SHA512
b90b8dc0571b2dde83c5ceaa4f12f203973bc2049663c0a840fa20a900bc7018f1f392f10273a607e816ccaf8a2b4f70bbc30b354437a2c9aecf5626b7c0a5ce

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
19KB

MD5
ddc6293e86b7c65e515f1b0223bb4e15

SHA1
b6e9d1c51f0ebe395670a9a1d8b028d205ed2080

SHA256
3bdb69de8611c9606652ef9fd32e6dfd858ee7af9cc83b36a2cb1dd4e36f5248

SHA512
f2174a243d5511ea19355e4f1a5343b5c628567addb60927f1987b13f7ef2c3ca61271288152c26f261a3c37cc09cfd62e682f0c06d340205c52ad3c559cacd7

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
1.2MB

MD5
38d922b1364ecc07f1a933b7acb20de4

SHA1
82a3d4f9cf3502da8710c07f9b7b447b79519216

SHA256
48c4c53425a0ee02d48f3eab2b4da3b6ed24d6d5bc45dea783e43e32b9752931

SHA512
cb1ca40afc5ad7828c9ef79c8029e76ec351bbbf6697ab1ec6dd9fe7aa5273028cf9d711a9babb4444ab44266751affbb3de4f4c9572dea102b1a04e95f0d315

Download Submit
memory/1900-123-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/1900-124-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/1900-137-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/1900-135-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/1900-129-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3660-78-0x0000018723950000-0x0000018723962000-memory.dmp

Filesize
72KB

Download
memory/3660-75-0x00007FFADC3B0000-0x00007FFADCE71000-memory.dmp

Filesize
10.8MB

Download
memory/3660-77-0x0000018722CF0000-0x0000018722D00000-memory.dmp

Filesize
64KB

Download
memory/3660-76-0x0000018722CF0000-0x0000018722D00000-memory.dmp

Filesize
64KB

Download
memory/3660-65-0x0000018722E70000-0x0000018722E92000-memory.dmp

Filesize
136KB

Download
memory/3660-79-0x0000018722CE0000-0x0000018722CEA000-memory.dmp

Filesize
40KB

Download
memory/3660-85-0x00007FFADC3B0000-0x00007FFADCE71000-memory.dmp

Filesize
10.8MB

Download
memory/3900-115-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3900-102-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3900-113-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3900-101-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3900-107-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-33-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-28-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-86-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-52-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-46-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-39-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-27-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/3924-98-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/4876-0-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/4876-26-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/4876-12-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/4876-6-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/4876-2-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download
memory/4876-1-0x0000000000400000-0x0000000000EA9000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads