amadey | 4439c40b5de4942e215ac33995c521bd20c906125ef009c913fcf466c7406f19

Resubmissions

28-06-2024 17:14

240628-vr2fbaxclf 10

09-03-2024 17:17

240309-vtrnwsdg2s 10

Analysis

max time kernel
147s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneApp.IGCC.WinService.exe
Size

5.5MB
MD5

0cb7d11ea511391d791b0fbb9637ee79
SHA1

96c13496ad8342bdf1cb0ffbe59f673c8395e99b
SHA256

502129a00203367b15d57f87b5b51d01fb292928708decb723cd7ad866a7fda3
SHA512

8823a02a66d883cb7bffce5f4c93a216dd3280f5f65b340b00b8d6e72112327ef4e64fe6cd3c43dfe3dc7e241d19d4ea98bc9e9e3d49ca2818131920b4093aeb
SSDEEP

98304:MXu+i79EbSTjewAV6G67Ngr9wZZGBysnji/MZ/HqLGdOVnhamYMNwHYo8C4Esg6:MXuzCSTqwAV63Ngr9w6Zj5lHkG8hzqHw

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://pleasurecanbesafe.com

Attributes

install_dir
40c3273379
install_file
Dctooux.exe
strings_key
65688f14a915e81474c2405160e45f77
url_paths
/7vAficZogD/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Loads dropped DLL 10 IoCs

pid	Process
2624	more.com
2624	more.com
2196	procmap.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe
2328	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 2624	2544	OneApp.IGCC.WinService.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	2196	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	OneApp.IGCC.WinService.exe
2544	OneApp.IGCC.WinService.exe
2624	more.com
2624	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2544	OneApp.IGCC.WinService.exe
2624	more.com

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2624	2544	OneApp.IGCC.WinService.exe	27
PID 2544 wrote to memory of 2624	2544	OneApp.IGCC.WinService.exe	27
PID 2544 wrote to memory of 2624	2544	OneApp.IGCC.WinService.exe	27
PID 2544 wrote to memory of 2624	2544	OneApp.IGCC.WinService.exe	27
PID 2544 wrote to memory of 2624	2544	OneApp.IGCC.WinService.exe	27
PID 2624 wrote to memory of 2196	2624	more.com	31
PID 2624 wrote to memory of 2196	2624	more.com	31
PID 2624 wrote to memory of 2196	2624	more.com	31
PID 2624 wrote to memory of 2196	2624	more.com	31
PID 2624 wrote to memory of 2196	2624	more.com	31
PID 2624 wrote to memory of 2196	2624	more.com	31
PID 2196 wrote to memory of 2328	2196	procmap.exe	32
PID 2196 wrote to memory of 2328	2196	procmap.exe	32
PID 2196 wrote to memory of 2328	2196	procmap.exe	32
PID 2196 wrote to memory of 2328	2196	procmap.exe	32
PID 2624 wrote to memory of 2196	2624	more.com	31

C:\Users\Admin\AppData\Local\Temp\OneApp.IGCC.WinService.exe
"C:\Users\Admin\AppData\Local\Temp\OneApp.IGCC.WinService.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\procmap.exe
    C:\Users\Admin\AppData\Local\Temp\procmap.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:2328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\28537f44

Filesize
1.1MB

MD5
cbf1827884df82e1fccd3aa4f7a8e0a9

SHA1
a37b33607301c5a7da322c80b6bda85602ee3b09

SHA256
410064bdcfd6a9916646b8d510ce96d78dccaeb34dc944cac41cbb61e0e15ec8

SHA512
5638a2237a61e247e6cbfab018510c824aac2f34ded11ab7e795d87a3b1d9db7a2e42401aa5b02a65869c6c850f95f3fdd4122926745e0ab575c7c2c261c7084

Download Submit
\Users\Admin\AppData\Local\Temp\procmap.exe

Filesize
13KB

MD5
0c13dfbc137a3bb4cc8da0b6301e9468

SHA1
f2ce29eed4c9f219dab415cf6729ee06c8fcff4d

SHA256
ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9

SHA512
e9343db4f416b4428745e57e47626e7ce52a21d0fa904915554fd900bab1b26d49d0f77b74bbf5404ec898b19af2287cdef3ed6b8ccf50760767eb3fc204a895

Download Submit
memory/2196-38-0x00000000001B0000-0x000000000021D000-memory.dmp

Filesize
436KB

Download
memory/2196-36-0x00000000001B0000-0x000000000021D000-memory.dmp

Filesize
436KB

Download
memory/2196-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2196-26-0x00000000001B0000-0x000000000021D000-memory.dmp

Filesize
436KB

Download
memory/2196-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2196-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-2-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/2544-3-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2544-4-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2544-0-0x0000000000400000-0x0000000000A04000-memory.dmp

Filesize
6.0MB

Download
memory/2544-1-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-6-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-24-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-14-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-20-0x0000000002780000-0x000000000278A000-memory.dmp

Filesize
40KB

Download
memory/2624-19-0x0000000002780000-0x000000000278A000-memory.dmp

Filesize
40KB

Download
memory/2624-11-0x0000000074A80000-0x0000000074BF4000-memory.dmp

Filesize
1.5MB

Download
memory/2624-8-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download