Overview

overview

10

Static

static

10

6b8e428cff...57.exe

windows7-x64

10

6b8e428cff...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe

  • Size

    426KB

  • MD5

    9a0b7ee713610b8395c8f0580a3b1e3d

  • SHA1

    e44a9e7ec6fe06ae6ba1b9518db78e95ad451942

  • SHA256

    6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357

  • SHA512

    0f7acbc99ef4b91eba1db5b50a352f29432da25bbd3c4364947dad3d1ce2ccc3b9f95f75e66a22cd11d7fcd8bfcc6903ba646b2e8543767bce4b6b786736f8fc

  • SSDEEP

    6144:1OP1cLnbZQOvBM1nGT7SVJEeFRuhuRlOBC+3hmHfqYr5PcfT5m0JuGeFxACt70+N:cPkOOKGNeZ6C+RpYrtS5m0JuGeFxZ06

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes
  • install_dir

    d887ceb89d

  • install_file

    explorhe.exe

  • strings_key

    7cadc181267fafff9df8503e730d60e1

  • url_paths

    /theme/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe
    "C:\Users\Admin\AppData\Local\Temp\6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:2560
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3060
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C5E23CDE-9EC5-4BA1-A131-44B2D161B1D8} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      2⤵
      • Executes dropped EXE
      PID:2496
    • C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      2⤵
      • Executes dropped EXE
      PID:2576
    • C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      2⤵
      • Executes dropped EXE
      PID:588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
    Filesize

    426KB

    MD5

    9a0b7ee713610b8395c8f0580a3b1e3d

    SHA1

    e44a9e7ec6fe06ae6ba1b9518db78e95ad451942

    SHA256

    6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357

    SHA512

    0f7acbc99ef4b91eba1db5b50a352f29432da25bbd3c4364947dad3d1ce2ccc3b9f95f75e66a22cd11d7fcd8bfcc6903ba646b2e8543767bce4b6b786736f8fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
    Filesize

    280KB

    MD5

    f56baafb279028d4cd5a36b0861b9d11

    SHA1

    73f01a3a07387f1a2e4b9ac26b253301d332bc59

    SHA256

    bc123c78d6354c85f5af3ac7f1ddc8c08809503e947c85cea5174c991031da80

    SHA512

    c45e0d2f305f0c80a01984e32dcc6fd607827f4605989ad4d61e0b5e2807464b5b9268f8f5822f8c899a596585db0347e55f34d1e0e172c0e5553076c5412fb8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
    Filesize

    102KB

    MD5

    85af6c99d918757171d2d280e5ac61ef

    SHA1

    ba1426d0ecf89825f690adad0a9f3c8c528ed48e

    SHA256

    150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

    SHA512

    12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
    Filesize

    162B

    MD5

    1b7c22a214949975556626d7217e9a39

    SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

    SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Download Submit
  • memory/1044-0-0x00000000003D0000-0x00000000003D1000-memory.dmp
    Filesize

    4KB

    Download