amadey | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

General

Target

b06437ffb6c87f69539842cd536e78d3.exe
Size

791KB
MD5

b06437ffb6c87f69539842cd536e78d3
SHA1

6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256

38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512

b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10
SSDEEP

24576:v/pYwErMbvMnTwQmBaWnBCqKZoYI81IuZ:H6wErMLMnTlmBaWntKZYuZ

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

6 2944 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

explorhe.exeexplorhe.exeexplorhe.exe

pid process

2776 explorhe.exe
684 explorhe.exe
2124 explorhe.exe
Loads dropped DLL 5 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exerundll32.exe

pid process

1744 b06437ffb6c87f69539842cd536e78d3.exe
2944 rundll32.exe
2944 rundll32.exe
2944 rundll32.exe
2944 rundll32.exe

flow	pid	process
6	2944	rundll32.exe

pid	process
2776	explorhe.exe
684	explorhe.exe
2124	explorhe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exe

pid	process
1744	b06437ffb6c87f69539842cd536e78d3.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe
2776	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2584 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exe

pid process

1744 b06437ffb6c87f69539842cd536e78d3.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exeexplorhe.exeexplorhe.exe

pid process

1744 b06437ffb6c87f69539842cd536e78d3.exe
2776 explorhe.exe
684 explorhe.exe
2124 explorhe.exe

pid	process
2584	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b06437ffb6c87f69539842cd536e78d3.exeexplorhe.exetaskeng.exe

description	pid	process	target process
PID 1744 wrote to memory of 2776	1744	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 1744 wrote to memory of 2776	1744	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 1744 wrote to memory of 2776	1744	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 1744 wrote to memory of 2776	1744	b06437ffb6c87f69539842cd536e78d3.exe	explorhe.exe
PID 2776 wrote to memory of 2584	2776	explorhe.exe	schtasks.exe
PID 2776 wrote to memory of 2584	2776	explorhe.exe	schtasks.exe
PID 2776 wrote to memory of 2584	2776	explorhe.exe	schtasks.exe
PID 2776 wrote to memory of 2584	2776	explorhe.exe	schtasks.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2776 wrote to memory of 2944	2776	explorhe.exe	rundll32.exe
PID 2856 wrote to memory of 684	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 684	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 684	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 684	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 2124	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 2124	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 2124	2856	taskeng.exe	explorhe.exe
PID 2856 wrote to memory of 2124	2856	taskeng.exe	explorhe.exe

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2944

C:\Windows\system32\taskeng.exe
taskeng.exe {A37A31EC-5266-46B5-A5F8-5BA07FCEC621} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
b06437ffb6c87f69539842cd536e78d3

SHA1
6799f24d5ff74fe1a045ea9845704bbbd1c818f6

SHA256
38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

SHA512
b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
85adfc825e1e654524565fa313b7ddbd

SHA1
f92418c2f842c6441dc00eea517edae7a3989aef

SHA256
980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089

SHA512
e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

Download Submit
memory/684-46-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/684-49-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/1744-0-0x0000000001010000-0x0000000001418000-memory.dmp

Filesize
4.0MB

Download
memory/1744-3-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1744-2-0x0000000001010000-0x0000000001418000-memory.dmp

Filesize
4.0MB

Download
memory/1744-11-0x0000000001010000-0x0000000001418000-memory.dmp

Filesize
4.0MB

Download
memory/2124-61-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2124-57-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-41-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-55-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-42-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-26-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-50-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-51-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-52-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-53-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-54-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-43-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-13-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-14-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-62-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-63-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-64-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-65-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download
memory/2776-66-0x0000000000300000-0x0000000000708000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads