amadey | 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278

General

Target

tmp.exe
Size

791KB
MD5

dafba6b93e117bf5477c56a3a30a1a2d
SHA1

9f5b1c990ec15ba2a90377dbc1da6e046d083050
SHA256

594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
SHA512

eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc
SSDEEP

24576:0CusCnjwQrBaWnBCqHjooSQU2kLExTSee:0CanjlrBaWntHjoTQrkgxuee

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.15

C2

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

explorhe.exeexplorhe.exeexplorhe.exe

pid process

1444 explorhe.exe
1084 explorhe.exe
1868 explorhe.exe
Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid process

3024 tmp.exe

pid	process
1444	explorhe.exe
1084	explorhe.exe
1868	explorhe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

tmp.exeexplorhe.exe

pid	process
3024	tmp.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe
1444	explorhe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2964 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tmp.exe

pid process

3024 tmp.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

tmp.exeexplorhe.exeexplorhe.exeexplorhe.exe

pid process

3024 tmp.exe
1444 explorhe.exe
1084 explorhe.exe
1868 explorhe.exe

pid	process
2964	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

tmp.exeexplorhe.exetaskeng.exe

description	pid	process	target process
PID 3024 wrote to memory of 1444	3024	tmp.exe	explorhe.exe
PID 3024 wrote to memory of 1444	3024	tmp.exe	explorhe.exe
PID 3024 wrote to memory of 1444	3024	tmp.exe	explorhe.exe
PID 3024 wrote to memory of 1444	3024	tmp.exe	explorhe.exe
PID 1444 wrote to memory of 2964	1444	explorhe.exe	schtasks.exe
PID 1444 wrote to memory of 2964	1444	explorhe.exe	schtasks.exe
PID 1444 wrote to memory of 2964	1444	explorhe.exe	schtasks.exe
PID 1444 wrote to memory of 2964	1444	explorhe.exe	schtasks.exe
PID 2532 wrote to memory of 1084	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1084	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1084	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1084	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1868	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1868	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1868	2532	taskeng.exe	explorhe.exe
PID 2532 wrote to memory of 1868	2532	taskeng.exe	explorhe.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\taskeng.exe
taskeng.exe {BCB209AC-AEF3-40EC-AFDA-B4A2D8CD924A} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
206KB

MD5
184572f2b1b836a28f9aaa4fb579f2ba

SHA1
287c1381d2bd61e0c3b45a6728bf7b4b0c7cbccc

SHA256
5d720b6b8e840f6f2ef12ab3203a7be78b96706df3598ee3f6db5b94b1fdbcff

SHA512
9b4cc03e31aff795c1b5eda8a66221373e02b4a636a0b97cf4979c30ea98905dfa342503cd6c6be638a19c19983c506360d0ff322d9075ecd46bb2b54c244767

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
108KB

MD5
ce69e9b5bae867e23705f064ec2ace94

SHA1
649a6ffb7feb38267e006233213a1e796d3c7695

SHA256
6d246d3cd9cfa19ec18ea17adca050de670353f051430e6278d0c7396c1263e6

SHA512
fc57bb3fd888826e4361157cea7b9f862d1bb4d72ee1f9de9a7ef54b2f53b49cce7e5583b43c3f71e94a3d6fba1d9ab3c4ae91a6aae0034ef59a4b3d6db13ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
dafba6b93e117bf5477c56a3a30a1a2d

SHA1
9f5b1c990ec15ba2a90377dbc1da6e046d083050

SHA256
594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278

SHA512
eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
448KB

MD5
c12d03f27b61c587dd0919dc310c5c03

SHA1
f172ce83a16eb139c747aa6b839e2f6e0ba9d6c0

SHA256
82825f86c3ae588eae12cefb1314158a34a5d90534eec5085c55628db3579d47

SHA512
3637be9599841eb66eb71ab21f8f302a4bdaa229d20690db1eba5d2a5235e8f2dbbfcb6e3cc57c6ca86cfd5d15003217d017f1ac4fd1bc7ea024e3e70190f75d

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
3853abb35ab617a117144f119cdc9808

SHA1
03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae

SHA256
f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef

SHA512
0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

Download Submit
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
270KB

MD5
4517d9d777b98a35b68caebb49c219b2

SHA1
91b0d08bba14d048dedd2493d14da6c512c2d28d

SHA256
59bab20821910df8e8bfc54ec49e0063866d3feaf1aa6902c33b62ec4ffca0ce

SHA512
2a32551c286ede6367d8628720f14a075b26fb014908b1dbac054166c4798cc70e9fd9522e4f82de6225b82c6b53f166c05aef81362aacd7eeefcd05422afc43

Download Submit
memory/1084-32-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1084-29-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1084-27-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-34-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-25-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-16-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-19-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-48-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-21-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-22-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-47-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-24-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-38-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-14-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-46-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-45-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-37-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-33-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-36-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1444-35-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1868-41-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/1868-44-0x0000000001320000-0x0000000001728000-memory.dmp

Filesize
4.0MB

Download
memory/3024-23-0x00000000049A0000-0x0000000004DA8000-memory.dmp

Filesize
4.0MB

Download
memory/3024-0-0x0000000000C90000-0x0000000001098000-memory.dmp

Filesize
4.0MB

Download
memory/3024-1-0x0000000000C90000-0x0000000001098000-memory.dmp

Filesize
4.0MB

Download
memory/3024-2-0x0000000000C90000-0x0000000001098000-memory.dmp

Filesize
4.0MB

Download
memory/3024-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3024-12-0x0000000000C90000-0x0000000001098000-memory.dmp

Filesize
4.0MB

Download
memory/3024-15-0x00000000049A0000-0x0000000004DA8000-memory.dmp

Filesize
4.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads