amadey | 0aca64d7066e48d14f232f01d55d128b875b2de0a29f1e7fee7e980e5a5a9a53

General

Target

e0dfb50d544ec355cd56374677e97e1e.exe
Size

4.1MB
MD5

e0dfb50d544ec355cd56374677e97e1e
SHA1

c4cb9fa8cdfab22b77c9c84cbb353c37edfd58d6
SHA256

0aca64d7066e48d14f232f01d55d128b875b2de0a29f1e7fee7e980e5a5a9a53
SHA512

016308415cb45a702756a27bd37dab1fda9d57924896ac37e12ac77dd0c09e240ee5de90c5dd092174d34fbcf1289fe5617b0b0297b0f09fd5a8bbe94553a225
SSDEEP

98304:JbnQlG+e2f0tl5t/+VO9ql3+Mmw2m7c57giraEkq1AIcO:JbQl3mtR/tc+MYQdIb

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.31

Attributes

install_dir
8a643770bf
install_file
drbux.exe
strings_key
a4b4e846f6cf1a081d182d6cd3bf1ee7
url_paths
/hfV3vDtt/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

drbux.exedrbux.exedrbux.exe

pid process

2500 drbux.exe
2708 drbux.exe
2140 drbux.exe
Loads dropped DLL 1 IoCs

Processes:

e0dfb50d544ec355cd56374677e97e1e.exe

pid process

2380 e0dfb50d544ec355cd56374677e97e1e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2612 schtasks.exe

pid	process
2500	drbux.exe
2708	drbux.exe
2140	drbux.exe

pid	process
2380	e0dfb50d544ec355cd56374677e97e1e.exe

pid	process
2612	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e0dfb50d544ec355cd56374677e97e1e.exedrbux.execmd.exetaskeng.exe

description	pid	process	target process
PID 2380 wrote to memory of 2500	2380	e0dfb50d544ec355cd56374677e97e1e.exe	drbux.exe
PID 2380 wrote to memory of 2500	2380	e0dfb50d544ec355cd56374677e97e1e.exe	drbux.exe
PID 2380 wrote to memory of 2500	2380	e0dfb50d544ec355cd56374677e97e1e.exe	drbux.exe
PID 2380 wrote to memory of 2500	2380	e0dfb50d544ec355cd56374677e97e1e.exe	drbux.exe
PID 2500 wrote to memory of 2628	2500	drbux.exe	cmd.exe
PID 2500 wrote to memory of 2628	2500	drbux.exe	cmd.exe
PID 2500 wrote to memory of 2628	2500	drbux.exe	cmd.exe
PID 2500 wrote to memory of 2628	2500	drbux.exe	cmd.exe
PID 2500 wrote to memory of 2612	2500	drbux.exe	schtasks.exe
PID 2500 wrote to memory of 2612	2500	drbux.exe	schtasks.exe
PID 2500 wrote to memory of 2612	2500	drbux.exe	schtasks.exe
PID 2500 wrote to memory of 2612	2500	drbux.exe	schtasks.exe
PID 2628 wrote to memory of 2752	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 2752	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 2752	2628	cmd.exe	reg.exe
PID 2628 wrote to memory of 2752	2628	cmd.exe	reg.exe
PID 2668 wrote to memory of 2708	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2708	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2708	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2708	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2140	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2140	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2140	2668	taskeng.exe	drbux.exe
PID 2668 wrote to memory of 2140	2668	taskeng.exe	drbux.exe

C:\Users\Admin\AppData\Local\Temp\e0dfb50d544ec355cd56374677e97e1e.exe
"C:\Users\Admin\AppData\Local\Temp\e0dfb50d544ec355cd56374677e97e1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
  "C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8a643770bf\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8a643770bf\
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN drbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2612

C:\Windows\system32\taskeng.exe
taskeng.exe {39A9FB7B-7069-4600-9802-691561761607} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
  C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
  C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe
  2⤵
  - Executes dropped EXE
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\152133094054

Filesize
47KB

MD5
35df096c4c3512f790868af89b3bcf6b

SHA1
480c1c9fbf3bcf4f6bf416f0740f739952f46975

SHA256
7b4a08842b5319a22e8ec29c779a59fa39878b996eb6abae5d42ac2503fb456b

SHA512
5ed73bd31ee5cbbf462dd700b9d93b2e096c25bf6f32cc15bd43616092433a1e3282e2bebb82864868aaed6e724a87e10f6aacef220e22fe341a7853f926eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\15213309405411416092

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe

Filesize
909KB

MD5
2f14b2de914836d249c3fd3e6c08be81

SHA1
60d5129facab7fb47990fba1a07e0eee2592cc0a

SHA256
9333fdeab6d4c879f642e6baf0027bf1eb19ebfb5cf7a76e895f8f422f97ea7f

SHA512
24bfb2cc7b205b76034f7e63b777b3c3b697859225c80ffa50e4a876c6649738c870ae3b20f24e9d5a4f440464b273a89e14201004c8ddab40cdffa1de13c9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe

Filesize
741KB

MD5
9e64033e1f8b1b8ff258a3e00e4b3597

SHA1
8be1057a0c41229d55c579f1fca3f99d051bf610

SHA256
db0677ea0af47c8fbb9a5c7493e53816fe260d8f8e5bd57ae9ec50da049da9ad

SHA512
1b08b845d5be44cd3b4ac7847d034f2110d26444f7e975052517e4210e4b1eb99c989591c749319568e3d5c62c26a7ecefe53575b4aae983d027a45beba4282b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe

Filesize
3.8MB

MD5
bd13b8049184b2a1a9c43c75cf51ff5c

SHA1
6800d34f702b28cb553f7b538fa1489784545e7e

SHA256
8194f7362ca6580c7748a5ddba1be837eeb9b3fa9cebdf0a77b395dbbddf0b0f

SHA512
d8cafe8b981015a46cf7e1db8e471cf71a59a547a9ecbf00ce1e8f532fd4a472ace345ee345e5be4483d665304fcb2b39727a1322d430a771b8e93cfcfac75e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe

Filesize
3.5MB

MD5
4adc260a1177a724cd4806fcfabf1d82

SHA1
ef69a5813f11131ed7b4e837ecad44db0afc7cf4

SHA256
c55278caf448a825e5fdb4f2b1b15842feb75280a74f3eefd55ed76c4426e4d7

SHA512
84f27f0c87bb6fb7159970a407068ccaf249468b94d8603132410d5014086c76e0375bf1e9546654d225c93d627ee9cc2680c805e1c09c1977c4929a7b598880

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe

Filesize
4.1MB

MD5
e0dfb50d544ec355cd56374677e97e1e

SHA1
c4cb9fa8cdfab22b77c9c84cbb353c37edfd58d6

SHA256
0aca64d7066e48d14f232f01d55d128b875b2de0a29f1e7fee7e980e5a5a9a53

SHA512
016308415cb45a702756a27bd37dab1fda9d57924896ac37e12ac77dd0c09e240ee5de90c5dd092174d34fbcf1289fe5617b0b0297b0f09fd5a8bbe94553a225

Download Submit
\Users\Admin\AppData\Local\Temp\8a643770bf\drbux.exe

Filesize
998KB

MD5
960f13be8a53069019088afae0e22158

SHA1
198d636db43a63b251c7080a069531f5105856e2

SHA256
0e330fdbd0d98ce18961cadeb65c1ef4ec4c1a1626adbbdc7315008849749b98

SHA512
28b8cc7021f90908d5e3e23d1e726d4253f8266f43e7c127710a86c5bd7d1179a895261c4e8481ae5ae131c6baa1b257921ad0bdfe8bdfda46f19601c46fd11b

Download Submit
memory/2140-41-0x0000000000290000-0x0000000000914000-memory.dmp

Filesize
6.5MB

Download
memory/2380-0-0x0000000000EA0000-0x0000000001524000-memory.dmp

Filesize
6.5MB

Download
memory/2500-14-0x0000000000290000-0x0000000000914000-memory.dmp

Filesize
6.5MB

Download
memory/2708-32-0x0000000000290000-0x0000000000914000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads