Malware Analysis Report

2025-01-22 10:24

Sample ID 240130-nh7seaehf4
Target tmp
SHA256 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
Tags
amadey trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

amadey trojan

Amadey

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 11:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 11:24

Reported

2024-01-30 11:27

Platform

win7-20231215-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Amadey

trojan amadey

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3024 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3024 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3024 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1444 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1444 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 1084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1084 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2532 wrote to memory of 1868 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Windows\system32\taskeng.exe

taskeng.exe {BCB209AC-AEF3-40EC-AFDA-B4A2D8CD924A} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp

Files

memory/3024-0-0x0000000000C90000-0x0000000001098000-memory.dmp

memory/3024-1-0x0000000000C90000-0x0000000001098000-memory.dmp

memory/3024-2-0x0000000000C90000-0x0000000001098000-memory.dmp

memory/3024-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1444-14-0x0000000001320000-0x0000000001728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 ce69e9b5bae867e23705f064ec2ace94
SHA1 649a6ffb7feb38267e006233213a1e796d3c7695
SHA256 6d246d3cd9cfa19ec18ea17adca050de670353f051430e6278d0c7396c1263e6
SHA512 fc57bb3fd888826e4361157cea7b9f862d1bb4d72ee1f9de9a7ef54b2f53b49cce7e5583b43c3f71e94a3d6fba1d9ab3c4ae91a6aae0034ef59a4b3d6db13ba9

memory/3024-15-0x00000000049A0000-0x0000000004DA8000-memory.dmp

memory/3024-12-0x0000000000C90000-0x0000000001098000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 184572f2b1b836a28f9aaa4fb579f2ba
SHA1 287c1381d2bd61e0c3b45a6728bf7b4b0c7cbccc
SHA256 5d720b6b8e840f6f2ef12ab3203a7be78b96706df3598ee3f6db5b94b1fdbcff
SHA512 9b4cc03e31aff795c1b5eda8a66221373e02b4a636a0b97cf4979c30ea98905dfa342503cd6c6be638a19c19983c506360d0ff322d9075ecd46bb2b54c244767

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 4517d9d777b98a35b68caebb49c219b2
SHA1 91b0d08bba14d048dedd2493d14da6c512c2d28d
SHA256 59bab20821910df8e8bfc54ec49e0063866d3feaf1aa6902c33b62ec4ffca0ce
SHA512 2a32551c286ede6367d8628720f14a075b26fb014908b1dbac054166c4798cc70e9fd9522e4f82de6225b82c6b53f166c05aef81362aacd7eeefcd05422afc43

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

memory/1444-16-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-19-0x0000000001320000-0x0000000001728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 dafba6b93e117bf5477c56a3a30a1a2d
SHA1 9f5b1c990ec15ba2a90377dbc1da6e046d083050
SHA256 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
SHA512 eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc

memory/1444-21-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-22-0x0000000001320000-0x0000000001728000-memory.dmp

memory/3024-23-0x00000000049A0000-0x0000000004DA8000-memory.dmp

memory/1444-24-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-25-0x0000000001320000-0x0000000001728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 c12d03f27b61c587dd0919dc310c5c03
SHA1 f172ce83a16eb139c747aa6b839e2f6e0ba9d6c0
SHA256 82825f86c3ae588eae12cefb1314158a34a5d90534eec5085c55628db3579d47
SHA512 3637be9599841eb66eb71ab21f8f302a4bdaa229d20690db1eba5d2a5235e8f2dbbfcb6e3cc57c6ca86cfd5d15003217d017f1ac4fd1bc7ea024e3e70190f75d

memory/1084-27-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1084-29-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1084-32-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-33-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-34-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-35-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-36-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-37-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-38-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1868-41-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1868-44-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-45-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-46-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-47-0x0000000001320000-0x0000000001728000-memory.dmp

memory/1444-48-0x0000000001320000-0x0000000001728000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 11:24

Reported

2024-01-30 11:27

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp
RU 185.215.113.68:80 tcp

Files

memory/3192-0-0x0000000000E00000-0x0000000001208000-memory.dmp

memory/3192-1-0x0000000000E00000-0x0000000001208000-memory.dmp

memory/3192-2-0x0000000000E00000-0x0000000001208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 dafba6b93e117bf5477c56a3a30a1a2d
SHA1 9f5b1c990ec15ba2a90377dbc1da6e046d083050
SHA256 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
SHA512 eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc

memory/4696-15-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/3192-16-0x0000000000E00000-0x0000000001208000-memory.dmp

memory/4696-17-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

memory/4696-20-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-21-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-22-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-23-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-24-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4372-27-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4372-28-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4372-31-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-32-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-33-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-34-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-35-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-36-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-38-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4044-40-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4044-43-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-44-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-45-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-46-0x0000000000AC0000-0x0000000000EC8000-memory.dmp

memory/4696-47-0x0000000000AC0000-0x0000000000EC8000-memory.dmp