amadey | 2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb

General

Target

2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe
Size

791KB
MD5

92e801725271ed67717bfcd1cd524eee
SHA1

8e30f78e231a605b2875bfed3b743bce73313093
SHA256

2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb
SHA512

1c3b75718fe87eb74374b1d8fd6d0df7cf8e37751552775803fa703744f1e3437e40a06340630917fb450f25ac518ae888f0a866068b250afea315a47472ac98
SSDEEP

12288:LrS+EN/44n7o7YNQdDzdYD/jGW/nSFuVD3N3iFWM6+gjN3sUNv21hXxtf:LB844nEwQhRHW/nSFuVRC9ncebBtf

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2472	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
2656	explorhe.exe
1048	explorhe.exe
1868	explorhe.exe

Loads dropped DLL 5 IoCs

pid	Process
1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe
2472	rundll32.exe
2472	rundll32.exe
2472	rundll32.exe
2472	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
1048	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe
2656	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2716	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe
2656	explorhe.exe
1048	explorhe.exe
1868	explorhe.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2656	1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe	28
PID 1696 wrote to memory of 2656	1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe	28
PID 1696 wrote to memory of 2656	1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe	28
PID 1696 wrote to memory of 2656	1696	2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe	28
PID 2656 wrote to memory of 2716	2656	explorhe.exe	29
PID 2656 wrote to memory of 2716	2656	explorhe.exe	29
PID 2656 wrote to memory of 2716	2656	explorhe.exe	29
PID 2656 wrote to memory of 2716	2656	explorhe.exe	29
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 2656 wrote to memory of 2472	2656	explorhe.exe	32
PID 524 wrote to memory of 1048	524	taskeng.exe	37
PID 524 wrote to memory of 1048	524	taskeng.exe	37
PID 524 wrote to memory of 1048	524	taskeng.exe	37
PID 524 wrote to memory of 1048	524	taskeng.exe	37
PID 524 wrote to memory of 1868	524	taskeng.exe	38
PID 524 wrote to memory of 1868	524	taskeng.exe	38
PID 524 wrote to memory of 1868	524	taskeng.exe	38
PID 524 wrote to memory of 1868	524	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe
"C:\Users\Admin\AppData\Local\Temp\2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2716
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2472

C:\Windows\system32\taskeng.exe
taskeng.exe {AB1FF742-5247-43A4-87B9-640D4A7C71B4} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8

Filesize
14B

MD5
e89ac1f7b3083ec3c93283ec05fecf79

SHA1
489b25a1a12157a6b3ce503b091feee61522ffc5

SHA256
60a8cdd10cb25eef274723b0c24b5d140a5ef2402455f7a03dc44844b867dbde

SHA512
1c498b1b8733fe257e1c57e1b89641909af085b35a3becfc9893616205e9d3efce9e14345a3080b0d3b75bfff97bd36ecc819126b511088ab10476fb77ca7187

Download Submit
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Filesize
791KB

MD5
92e801725271ed67717bfcd1cd524eee

SHA1
8e30f78e231a605b2875bfed3b743bce73313093

SHA256
2412d2291880ecef6a46169846845ae459aa3a7b5500be4ae1458edf572913eb

SHA512
1c3b75718fe87eb74374b1d8fd6d0df7cf8e37751552775803fa703744f1e3437e40a06340630917fb450f25ac518ae888f0a866068b250afea315a47472ac98

Download Submit
memory/1048-54-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/1048-49-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/1048-51-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/1696-4-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1696-13-0x0000000000A30000-0x0000000000E38000-memory.dmp

Filesize
4.0MB

Download
memory/1696-15-0x0000000004BD0000-0x0000000004FD8000-memory.dmp

Filesize
4.0MB

Download
memory/1696-0-0x0000000000A30000-0x0000000000E38000-memory.dmp

Filesize
4.0MB

Download
memory/1696-2-0x0000000000A30000-0x0000000000E38000-memory.dmp

Filesize
4.0MB

Download
memory/1696-1-0x0000000000A30000-0x0000000000E38000-memory.dmp

Filesize
4.0MB

Download
memory/1868-65-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-46-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-57-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-44-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-47-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-29-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-17-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-16-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-55-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-56-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-45-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-58-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-59-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-60-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-14-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-66-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-67-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-68-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download
memory/2656-69-0x0000000000A50000-0x0000000000E58000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads