amadey | 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

General

Target

5c1e965d21ddfb6972824827a6ad3ed5.exe
Size

790KB
MD5

5c1e965d21ddfb6972824827a6ad3ed5
SHA1

3267ccd4de8c23ab99433235d5529937409162e7
SHA256

82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
SHA512

2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0
SSDEEP

12288:iwx2ZDHcnIo7YNQYBeW8/LViyIakQz15bbPnK2I4uGxZbmqMrUAPJHj0gr:iwx4DHcnJwQpiyIakELT5ZbmNrUuj0

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

24 4356 rundll32.exe

flow	pid	process
24	4356	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5c1e965d21ddfb6972824827a6ad3ed5.exeexplorhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	5c1e965d21ddfb6972824827a6ad3ed5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	explorhe.exe

Executes dropped EXE 3 IoCs

Processes:

explorhe.exeexplorhe.exeexplorhe.exe

pid process

2824 explorhe.exe
2044 explorhe.exe
2828 explorhe.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4356 rundll32.exe

pid	process
4356	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

explorhe.exeexplorhe.exe

pid	process
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2828	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe
2824	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3508 schtasks.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

5c1e965d21ddfb6972824827a6ad3ed5.exeexplorhe.exeexplorhe.exeexplorhe.exe

pid process

1628 5c1e965d21ddfb6972824827a6ad3ed5.exe
2824 explorhe.exe
2044 explorhe.exe
2828 explorhe.exe

pid	process
3508	schtasks.exe

pid	process
1628	5c1e965d21ddfb6972824827a6ad3ed5.exe
2824	explorhe.exe
2044	explorhe.exe
2828	explorhe.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5c1e965d21ddfb6972824827a6ad3ed5.exeexplorhe.exe

description	pid	process	target process
PID 1628 wrote to memory of 2824	1628	5c1e965d21ddfb6972824827a6ad3ed5.exe	explorhe.exe
PID 1628 wrote to memory of 2824	1628	5c1e965d21ddfb6972824827a6ad3ed5.exe	explorhe.exe
PID 1628 wrote to memory of 2824	1628	5c1e965d21ddfb6972824827a6ad3ed5.exe	explorhe.exe
PID 2824 wrote to memory of 3508	2824	explorhe.exe	schtasks.exe
PID 2824 wrote to memory of 3508	2824	explorhe.exe	schtasks.exe
PID 2824 wrote to memory of 3508	2824	explorhe.exe	schtasks.exe
PID 2824 wrote to memory of 4356	2824	explorhe.exe	rundll32.exe
PID 2824 wrote to memory of 4356	2824	explorhe.exe	rundll32.exe
PID 2824 wrote to memory of 4356	2824	explorhe.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe
"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:3508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4356

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
464KB

MD5
e70444cbec942f2b4bca5bc0130566bf

SHA1
4bb96d4f482d19c097ba7ca9e42ed3b840e771ac

SHA256
6b25140c7cdd2fa9233682dbb13a305c5eb22dd0198e26b3f1db7dad3c36d5d4

SHA512
020b7d9c55ae050a46d2a53212e30f52756f429c36c176adb2bd221bdc0630e7fb247d978c581b885f42099bd8e101f6171f1cdc0cbf8a8e39b435688a404324

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
414KB

MD5
e55ca13bf3e791836f5aa14950dc51b0

SHA1
58737c9e1c2620dc8623059c68aee34121924038

SHA256
9a17f5fd4a7f6b3700daf2711bad9797baf403611399d7125d2e4130d1ee5073

SHA512
2a1ea15fac8f993d3f578d5faccf8b6637550c997398bb2539087c2a5bbab01703dc50c627bf61304e0455ca148f78d4a53c960e68fb1ed3b99c3e5fc090987e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
790KB

MD5
5c1e965d21ddfb6972824827a6ad3ed5

SHA1
3267ccd4de8c23ab99433235d5529937409162e7

SHA256
82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

SHA512
2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
661KB

MD5
88fbb02d941a0f38a33fccc25444cd80

SHA1
90e72ce9200c0d56bc61103b18a1e5253cbca54a

SHA256
fa2822a2d1d0d44f9adbf057ee65440a72fd2fe679c671c8a3cc64111166ea10

SHA512
295f88d886f601966c490417bbba515b1b051ac72344d0f61fa3a50503c28d3b9aadc308db65c310c55916e43211e393b49581b3c1c3a868789bd32e7f8c8c36

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
86dcf064474fd20f25006f96ab661f01

SHA1
69375b55e39c2bab40cc6da7896762a56d631d91

SHA256
d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc

SHA512
86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

Download Submit
memory/1628-1-0x00000000005E0000-0x00000000009E8000-memory.dmp

Filesize
4.0MB

Download
memory/1628-2-0x00000000005E0000-0x00000000009E8000-memory.dmp

Filesize
4.0MB

Download
memory/1628-15-0x00000000005E0000-0x00000000009E8000-memory.dmp

Filesize
4.0MB

Download
memory/1628-0-0x00000000005E0000-0x00000000009E8000-memory.dmp

Filesize
4.0MB

Download
memory/2044-50-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2044-47-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-42-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-51-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-41-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-39-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-43-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-44-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-27-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-14-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-16-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-40-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-52-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-53-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-54-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-55-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-56-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-64-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2824-63-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2828-62-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download
memory/2828-59-0x0000000000D10000-0x0000000001118000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads