amadey | ff3c3e7ea41955ee1ce503a05dd815a60f9f3d8765f117113212125154aa6136

General

Target

amer.exe
Size

791KB
MD5

0b6cc42e0e7dbac5b14d8272cf9a10dc
SHA1

50cd32af636a9f7361076dec109e1304bdccab35
SHA256

ff3c3e7ea41955ee1ce503a05dd815a60f9f3d8765f117113212125154aa6136
SHA512

3b5e1918121d85d1a34096becfae18c96f02307aec87b964e82323c94542097b8466561d80e4e024e0a778765299b6b76f02977c23d0086414c12d01fa1ec766
SSDEEP

12288:gIvcEqXn0o7YNQz1F85ZwKd89BcFniz72PbZFbmqMrUAxvvvWs:+ntwQpyEvOnivQbnbmNrUgvp

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 1 IoCs

flow	pid	Process
94	1924	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	amer.exe

Executes dropped EXE 3 IoCs

pid	Process
4460	explorhe.exe
4200	explorhe.exe
4720	explorhe.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4720	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe
4460	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4048	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4364	amer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4364	amer.exe
4460	explorhe.exe
4200	explorhe.exe
4720	explorhe.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4460	4364	amer.exe	90
PID 4364 wrote to memory of 4460	4364	amer.exe	90
PID 4364 wrote to memory of 4460	4364	amer.exe	90
PID 4460 wrote to memory of 4048	4460	explorhe.exe	92
PID 4460 wrote to memory of 4048	4460	explorhe.exe	92
PID 4460 wrote to memory of 4048	4460	explorhe.exe	92
PID 4460 wrote to memory of 1924	4460	explorhe.exe	103
PID 4460 wrote to memory of 1924	4460	explorhe.exe	103
PID 4460 wrote to memory of 1924	4460	explorhe.exe	103

C:\Users\Admin\AppData\Local\Temp\amer.exe
"C:\Users\Admin\AppData\Local\Temp\amer.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4048
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1924

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Filesize
754KB

MD5
e0e6a5b78853c76eab5364dd3f67e365

SHA1
549a2f1fc3db9f10f36fc97eb1db64f2e7f3de7c

SHA256
385dd113ce006ba5e149a26440123a70a52e34379168885b9b58c7f21ebb991c

SHA512
ea2f810bae839968932a9c51d95fb0fde0dc589ed5162360ea0e74acf6c3711728042dcf5bca303a5022e2645b03827351c6bc3db51dfcc37ab4004fd8b9af2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Filesize
791KB

MD5
0b6cc42e0e7dbac5b14d8272cf9a10dc

SHA1
50cd32af636a9f7361076dec109e1304bdccab35

SHA256
ff3c3e7ea41955ee1ce503a05dd815a60f9f3d8765f117113212125154aa6136

SHA512
3b5e1918121d85d1a34096becfae18c96f02307aec87b964e82323c94542097b8466561d80e4e024e0a778765299b6b76f02977c23d0086414c12d01fa1ec766

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8

Filesize
14B

MD5
8c36cdedb21883bff86e082a57ed1639

SHA1
5114ce74a63ca7f5c381786fa19b51d4b6de2e78

SHA256
0c46fd38bdae3cf9f5bc062173966770e843001d337b94af5c2cc7b20c61de77

SHA512
ed83f24476a17213a4e1147cde59885e55c1b593ed237aa7d2354d2485873edd87c3dca4177686630764be594b13dbaabdd659a65357f5f5854fdba1b16bb1fa

Download Submit
memory/4200-48-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4200-45-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4364-1-0x0000000000BA0000-0x0000000000FA8000-memory.dmp

Filesize
4.0MB

Download
memory/4364-2-0x0000000000BA0000-0x0000000000FA8000-memory.dmp

Filesize
4.0MB

Download
memory/4364-14-0x0000000000BA0000-0x0000000000FA8000-memory.dmp

Filesize
4.0MB

Download
memory/4364-0-0x0000000000BA0000-0x0000000000FA8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-16-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-51-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-30-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-28-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-42-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-17-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-15-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-49-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-50-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-29-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-52-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-53-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-54-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-64-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-60-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-61-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-62-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4460-63-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download
memory/4720-59-0x0000000000AD0000-0x0000000000ED8000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads