amadey | d24a79e9dc77ef3602b64baf9ca453761ec86a32de4bf43aec7b80018bf393b6

General

Target

1b7bea48afdc1505a415847495c9f242.exe
Size

322KB
MD5

1b7bea48afdc1505a415847495c9f242
SHA1

63e907076b1d7abc88c4ed47b2c39e7f0541671e
SHA256

d24a79e9dc77ef3602b64baf9ca453761ec86a32de4bf43aec7b80018bf393b6
SHA512

c2dea07b4d6bcbb86bdd9bc2cc8cbe58e713573f7495ae2166c6a71d692159f610b610fc482710767526b0e83062aebc26088967039e6c5390abdb6eb6da86db
SSDEEP

6144:vk3xGtaKlclY5g7TW+38Aarti7CJ6NYCoPOXLBu/J7CzV:+xGtaOcl/7b38AaZL6NGuEB7aV

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.50

C2

http://185.215.113.206

Attributes

install_dir
bd1299733e
install_file
rnyuf.exe
strings_key
ad15f4a6e80870b6c41345d8514d8ee1
url_paths
/k8FppT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
2668	rnyuf.exe

Loads dropped DLL 2 IoCs

pid	Process
816	1b7bea48afdc1505a415847495c9f242.exe
816	1b7bea48afdc1505a415847495c9f242.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2928	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2668	816	1b7bea48afdc1505a415847495c9f242.exe	28
PID 816 wrote to memory of 2668	816	1b7bea48afdc1505a415847495c9f242.exe	28
PID 816 wrote to memory of 2668	816	1b7bea48afdc1505a415847495c9f242.exe	28
PID 816 wrote to memory of 2668	816	1b7bea48afdc1505a415847495c9f242.exe	28
PID 2668 wrote to memory of 2804	2668	rnyuf.exe	32
PID 2668 wrote to memory of 2804	2668	rnyuf.exe	32
PID 2668 wrote to memory of 2804	2668	rnyuf.exe	32
PID 2668 wrote to memory of 2804	2668	rnyuf.exe	32

C:\Users\Admin\AppData\Local\Temp\1b7bea48afdc1505a415847495c9f242.exe
"C:\Users\Admin\AppData\Local\Temp\1b7bea48afdc1505a415847495c9f242.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
      4⤵
      PID:2608

C:\Windows\system32\taskeng.exe
taskeng.exe {7A203F07-280B-4FC9-B871-AB75D47EE0F1} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:2136
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  2⤵
  PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe

Filesize
92KB

MD5
fabb5f4c1de02d1cb8a0f20adf18ca80

SHA1
337616b92aefcf104e104b01f8faaa8e6824e3ab

SHA256
fc20d069cf1d19d47c79d6718a8db710959f2afd585aaed6ca3542aefe857589

SHA512
b8d329aa8026e9dce36c139ef88490b993b547f0107b417fb4d87d74edea64915805a7f177ee1269f2121b5d2c2251116d634dae72928bd7a9df94a588eedca8

Download Submit
\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe

Filesize
322KB

MD5
1b7bea48afdc1505a415847495c9f242

SHA1
63e907076b1d7abc88c4ed47b2c39e7f0541671e

SHA256
d24a79e9dc77ef3602b64baf9ca453761ec86a32de4bf43aec7b80018bf393b6

SHA512
c2dea07b4d6bcbb86bdd9bc2cc8cbe58e713573f7495ae2166c6a71d692159f610b610fc482710767526b0e83062aebc26088967039e6c5390abdb6eb6da86db

Download Submit
\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe

Filesize
93KB

MD5
26702d4e7badc138403385a3ec5067cf

SHA1
cd21966f959fcf594428c418784e8d0cc7098f33

SHA256
90d4ca0f9ee998ef503045c06bd24a09c5dda51f1fbcf57401971e922f346392

SHA512
2b98b8a2ce4b2ddb48506ffaf5ac3a36e0a0f0ab072a7a976bd38f4d34c3e68b5fdccdd8a4754a33b64d7e2d93144210fa6b848c9a366bb076dc391500e581b5

Download Submit
memory/600-65-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/600-64-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/816-1-0x0000000002800000-0x0000000002900000-memory.dmp

Filesize
1024KB

Download
memory/816-2-0x0000000000240000-0x0000000000273000-memory.dmp

Filesize
204KB

Download
memory/816-10-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/816-18-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/816-20-0x0000000000240000-0x0000000000273000-memory.dmp

Filesize
204KB

Download
memory/2472-46-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/2472-42-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/2668-34-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/2668-35-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/2668-32-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/2668-52-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/2668-53-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/2668-29-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/2668-26-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/2668-71-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads