amadey | fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b

General

Target

amer.exe
Size

791KB
MD5

6878df738defcf088ba56b4d214ca1bd
SHA1

24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2
SHA256

fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
SHA512

7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78
SSDEEP

24576:UvNgtcwqLlnUwQeRHW/nSJVuPR4CZbmNrUJqh:UFVw4lnUleR2/SvoZSgE

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

38 5012 rundll32.exe

flow	pid	process
38	5012	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amer.exeexplorhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	amer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	explorhe.exe

Executes dropped EXE 3 IoCs

Processes:

explorhe.exeexplorhe.exeexplorhe.exe

pid process

2060 explorhe.exe
3556 explorhe.exe
4760 explorhe.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5012 rundll32.exe

pid	process
5012	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

explorhe.exe

pid	process
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe
2060	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1832 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

amer.exe

pid process

3652 amer.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

amer.exeexplorhe.exeexplorhe.exeexplorhe.exe

pid process

3652 amer.exe
2060 explorhe.exe
3556 explorhe.exe
4760 explorhe.exe

pid	process
1832	schtasks.exe

pid	process
3652	amer.exe

pid	process
3652	amer.exe
2060	explorhe.exe
3556	explorhe.exe
4760	explorhe.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

amer.exeexplorhe.exe

description	pid	process	target process
PID 3652 wrote to memory of 2060	3652	amer.exe	explorhe.exe
PID 3652 wrote to memory of 2060	3652	amer.exe	explorhe.exe
PID 3652 wrote to memory of 2060	3652	amer.exe	explorhe.exe
PID 2060 wrote to memory of 1832	2060	explorhe.exe	schtasks.exe
PID 2060 wrote to memory of 1832	2060	explorhe.exe	schtasks.exe
PID 2060 wrote to memory of 1832	2060	explorhe.exe	schtasks.exe
PID 2060 wrote to memory of 5012	2060	explorhe.exe	rundll32.exe
PID 2060 wrote to memory of 5012	2060	explorhe.exe	rundll32.exe
PID 2060 wrote to memory of 5012	2060	explorhe.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\amer.exe
"C:\Users\Admin\AppData\Local\Temp\amer.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5012

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
6878df738defcf088ba56b4d214ca1bd

SHA1
24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2

SHA256
fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b

SHA512
7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
85adfc825e1e654524565fa313b7ddbd

SHA1
f92418c2f842c6441dc00eea517edae7a3989aef

SHA256
980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089

SHA512
e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2060-29-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-61-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-15-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-20-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-63-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-64-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-65-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-41-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-62-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-17-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-48-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-49-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-50-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-51-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-52-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-53-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/2060-60-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/3556-47-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/3556-44-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/3652-0-0x0000000000650000-0x0000000000A58000-memory.dmp

Filesize
4.0MB

Download
memory/3652-16-0x0000000000650000-0x0000000000A58000-memory.dmp

Filesize
4.0MB

Download
memory/3652-2-0x0000000000650000-0x0000000000A58000-memory.dmp

Filesize
4.0MB

Download
memory/3652-1-0x0000000000650000-0x0000000000A58000-memory.dmp

Filesize
4.0MB

Download
memory/4760-59-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download
memory/4760-55-0x0000000000640000-0x0000000000A48000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads