amadey | b812dbe9129d88c1678a30de2ef373f01f7f6077c15b5652acbc18692427c8be

General

Target

167442cdddc3ad06aa3cd879ebacd81a.exe
Size

317KB
MD5

167442cdddc3ad06aa3cd879ebacd81a
SHA1

246a74400c573f1035acbc1da4c3776c4d8ad58b
SHA256

b812dbe9129d88c1678a30de2ef373f01f7f6077c15b5652acbc18692427c8be
SHA512

2b72fedf0e62213a3c926b2bc40f1c8ea72495d05343f20e14a62a40cca9d48a2c64d12d7d23c00462ee4f24f6413b2f91573f76d61cee58445c6ea48b2e6e20
SSDEEP

6144:572yjcT7NjWEpGwZKFM8+a+e4cZNvemhN5h9ZnTJkz:cocT7NjEwZA2a+rQNvhhN5h9Za

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.50

C2

http://185.215.113.206

Attributes

install_dir
bd1299733e
install_file
rnyuf.exe
strings_key
ad15f4a6e80870b6c41345d8514d8ee1
url_paths
/k8FppT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
2324	rnyuf.exe
2076	rnyuf.exe
812	rnyuf.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	167442cdddc3ad06aa3cd879ebacd81a.exe
1612	167442cdddc3ad06aa3cd879ebacd81a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2332	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2324	1612	167442cdddc3ad06aa3cd879ebacd81a.exe	28
PID 1612 wrote to memory of 2324	1612	167442cdddc3ad06aa3cd879ebacd81a.exe	28
PID 1612 wrote to memory of 2324	1612	167442cdddc3ad06aa3cd879ebacd81a.exe	28
PID 1612 wrote to memory of 2324	1612	167442cdddc3ad06aa3cd879ebacd81a.exe	28
PID 2324 wrote to memory of 2720	2324	rnyuf.exe	30
PID 2324 wrote to memory of 2720	2324	rnyuf.exe	30
PID 2324 wrote to memory of 2720	2324	rnyuf.exe	30
PID 2324 wrote to memory of 2720	2324	rnyuf.exe	30
PID 2324 wrote to memory of 2332	2324	rnyuf.exe	32
PID 2324 wrote to memory of 2332	2324	rnyuf.exe	32
PID 2324 wrote to memory of 2332	2324	rnyuf.exe	32
PID 2324 wrote to memory of 2332	2324	rnyuf.exe	32
PID 2720 wrote to memory of 2592	2720	cmd.exe	33
PID 2720 wrote to memory of 2592	2720	cmd.exe	33
PID 2720 wrote to memory of 2592	2720	cmd.exe	33
PID 2720 wrote to memory of 2592	2720	cmd.exe	33
PID 1352 wrote to memory of 2076	1352	taskeng.exe	38
PID 1352 wrote to memory of 2076	1352	taskeng.exe	38
PID 1352 wrote to memory of 2076	1352	taskeng.exe	38
PID 1352 wrote to memory of 2076	1352	taskeng.exe	38
PID 1352 wrote to memory of 812	1352	taskeng.exe	39
PID 1352 wrote to memory of 812	1352	taskeng.exe	39
PID 1352 wrote to memory of 812	1352	taskeng.exe	39
PID 1352 wrote to memory of 812	1352	taskeng.exe	39

C:\Users\Admin\AppData\Local\Temp\167442cdddc3ad06aa3cd879ebacd81a.exe
"C:\Users\Admin\AppData\Local\Temp\167442cdddc3ad06aa3cd879ebacd81a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2332

C:\Windows\system32\taskeng.exe
taskeng.exe {C4DF8775-9ED2-45EA-8DC3-F5CFDB1B6914} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\152116030592

Filesize
65KB

MD5
eccc47df0f3bc4512f34d89bbb871aef

SHA1
9e94248c36c6a73a51802fab1e8378219964b99a

SHA256
fe3bf4b1731bb6f56991ef412e8c5fd43e32d97f97aaa6a8ccb91a771f6b3a4a

SHA512
0d73f128085e4ba303482ba3bb979ab6d53aed1d67f97427482d2857261c99f743274ace2fea6960ba0e7312f3df3841a6dede75b3f9b2185f9f03e46921cf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe

Filesize
128KB

MD5
32c57d8f44fd9e70a88265c85d839256

SHA1
92aeca60abaa1621ff7ff9875a8867e927be0ec0

SHA256
c96b3d151c7c97f4dc006161ee02dd520da297a23402bfdeabcc509628aaabda

SHA512
5a5534d739ffda9494030d779d5f19281d0a5e69a637c41262069fa2436cc42d8f406fc83814c4f3f538839cfbcc2c0788206c65074ae3d60031ca209beae270

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe

Filesize
64KB

MD5
49da4d97a512ebe8aaf15ff252d1c4bf

SHA1
8d4a1ece150448179ecda2463f619b08d5da872e

SHA256
38b6f70a7a7ea41a883065a34d6694afbc33d37309c18e6e636720320ad7ad21

SHA512
a246ee90d9f505ae33163d78a6d00b631812c19f8cf65c4775c303fb11cf80d981b1c24111d5755450c6f00e9b225603239ab4473e69b45b592f2922f966c440

Download Submit
\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe

Filesize
317KB

MD5
167442cdddc3ad06aa3cd879ebacd81a

SHA1
246a74400c573f1035acbc1da4c3776c4d8ad58b

SHA256
b812dbe9129d88c1678a30de2ef373f01f7f6077c15b5652acbc18692427c8be

SHA512
2b72fedf0e62213a3c926b2bc40f1c8ea72495d05343f20e14a62a40cca9d48a2c64d12d7d23c00462ee4f24f6413b2f91573f76d61cee58445c6ea48b2e6e20

Download Submit
memory/1612-2-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1612-18-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/1612-20-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1612-10-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/1612-1-0x00000000024D0000-0x00000000025D0000-memory.dmp

Filesize
1024KB

Download
memory/2076-53-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/2076-54-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2324-29-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/2324-36-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/2324-34-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/2324-32-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download
memory/2324-26-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/2324-62-0x0000000000400000-0x00000000023BA000-memory.dmp

Filesize
31.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads