amadey | 3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366

General

Target

explorhe.exe
Size

790KB
MD5

b7668e16e00cfa7aab4fd5833311a9d3
SHA1

81f2ecd89774c56e0cc9cdb9dfe273df76dfefa7
SHA256

3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366
SHA512

7e2146e5e8b28830208a92ddcb57075fd0e046856c0564e3faf5f0d71a6dbe5454c16b45664da4277de795eb53f1be447de4aae2a0a5a0d12eefe9d5be6d96e4
SSDEEP

12288:r9SJ++jmIFElFpRqH1YWGn1Io7YNQZDzdYD/jGW/nSkxgsDggauUPnIpm68fuvQR:r0g9/nREmWGn/wQFRHW/nSkx4dk4qo

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

6 2544 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

explorhe.exeexplorhe.exeexplorhe.exe

pid process

2756 explorhe.exe
1504 explorhe.exe
1020 explorhe.exe
Loads dropped DLL 5 IoCs

Processes:

explorhe.exerundll32.exe

pid process

2280 explorhe.exe
2544 rundll32.exe
2544 rundll32.exe
2544 rundll32.exe
2544 rundll32.exe

flow	pid	process
6	2544	rundll32.exe

pid	process
2756	explorhe.exe
1504	explorhe.exe
1020	explorhe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

explorhe.exeexplorhe.exe

pid	process
2280	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe
2756	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2444 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorhe.exe

pid process

2280 explorhe.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

explorhe.exeexplorhe.exeexplorhe.exeexplorhe.exe

pid process

2280 explorhe.exe
2756 explorhe.exe
1504 explorhe.exe
1020 explorhe.exe

pid	process
2444	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

explorhe.exeexplorhe.exetaskeng.exe

description	pid	process	target process
PID 2280 wrote to memory of 2756	2280	explorhe.exe	explorhe.exe
PID 2280 wrote to memory of 2756	2280	explorhe.exe	explorhe.exe
PID 2280 wrote to memory of 2756	2280	explorhe.exe	explorhe.exe
PID 2280 wrote to memory of 2756	2280	explorhe.exe	explorhe.exe
PID 2756 wrote to memory of 2444	2756	explorhe.exe	schtasks.exe
PID 2756 wrote to memory of 2444	2756	explorhe.exe	schtasks.exe
PID 2756 wrote to memory of 2444	2756	explorhe.exe	schtasks.exe
PID 2756 wrote to memory of 2444	2756	explorhe.exe	schtasks.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 2756 wrote to memory of 2544	2756	explorhe.exe	rundll32.exe
PID 1524 wrote to memory of 1504	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1504	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1504	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1504	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1020	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1020	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1020	1524	taskeng.exe	explorhe.exe
PID 1524 wrote to memory of 1020	1524	taskeng.exe	explorhe.exe

C:\Users\Admin\AppData\Local\Temp\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\explorhe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2544

C:\Windows\system32\taskeng.exe
taskeng.exe {D3255ADC-5BF4-40E1-AB8D-1BFA2B7BBEF6} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
790KB

MD5
b7668e16e00cfa7aab4fd5833311a9d3

SHA1
81f2ecd89774c56e0cc9cdb9dfe273df76dfefa7

SHA256
3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366

SHA512
7e2146e5e8b28830208a92ddcb57075fd0e046856c0564e3faf5f0d71a6dbe5454c16b45664da4277de795eb53f1be447de4aae2a0a5a0d12eefe9d5be6d96e4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
54ef66a2354691f7925f15eb520a888e

SHA1
a36036aef8f690db5612eb2326a9015e94e9c43f

SHA256
0f6a105fc2a026f60919579108e06a9f7c38f22ca4e4284a6a23eeebb453ef83

SHA512
33184e1aa8a6dedf2e6d69e315cfc59ab6ab32cc94861931a23104a02e8c02ac009d02196530caff0fba359ece52b725c511b36d36492e22238dbd447e9ffa85

Download Submit
memory/1020-65-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/1020-62-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/1504-53-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/1504-50-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/1504-48-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2280-13-0x0000000000F80000-0x0000000001388000-memory.dmp

Filesize
4.0MB

Download
memory/2280-4-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x0000000000F80000-0x0000000001388000-memory.dmp

Filesize
4.0MB

Download
memory/2280-2-0x0000000000F80000-0x0000000001388000-memory.dmp

Filesize
4.0MB

Download
memory/2280-0-0x0000000000F80000-0x0000000001388000-memory.dmp

Filesize
4.0MB

Download
memory/2756-44-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-57-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-46-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-29-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-28-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-19-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-54-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-55-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-56-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-45-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-58-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-59-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-15-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-14-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-66-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-67-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download
memory/2756-68-0x0000000001130000-0x0000000001538000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads