amadey | 751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2

General

Target

7077ab5685f753d94192aca8e3158fb5.exe
Size

6.2MB
MD5

7077ab5685f753d94192aca8e3158fb5
SHA1

a73f1b79f6a1fccc0cb4f10b875a0b5a0182dc90
SHA256

751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2
SHA512

64001b470b17434a051b64477955175f5c35db89761477dd5473f8229e6b141a252ab0ed0cef6655135be4fa70f13313475a427195e3013a7a2c061cd260ef26
SSDEEP

98304:Xrxkmr7CWoqbb4ngAFGw7WClREnjwaeSkMc88QS+qE0AaG8MlftjxeUZH:XKyzoLgkW4RmKMcJWqE0AaGxftjx/Z

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.19

C2

http://creationofprogress.com

Attributes

install_dir
603179bf2d
install_file
Dctooux.exe
strings_key
e6d1abb3e9573b823ce443b691fcda47
url_paths
/8BvxwQdec3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Suspicious use of SetThreadContext 1 IoCs

Processes:

7077ab5685f753d94192aca8e3158fb5.exe

description pid process target process

PID 3004 set thread context of 2656 3004 7077ab5685f753d94192aca8e3158fb5.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7077ab5685f753d94192aca8e3158fb5.execmd.exe

pid process

3004 7077ab5685f753d94192aca8e3158fb5.exe
3004 7077ab5685f753d94192aca8e3158fb5.exe
2656 cmd.exe
2656 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

7077ab5685f753d94192aca8e3158fb5.execmd.exe

pid process

3004 7077ab5685f753d94192aca8e3158fb5.exe
2656 cmd.exe

description	pid	process	target process
PID 3004 set thread context of 2656	3004	7077ab5685f753d94192aca8e3158fb5.exe	cmd.exe

pid	process
3004	7077ab5685f753d94192aca8e3158fb5.exe
3004	7077ab5685f753d94192aca8e3158fb5.exe
2656	cmd.exe
2656	cmd.exe

pid	process
3004	7077ab5685f753d94192aca8e3158fb5.exe
2656	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7077ab5685f753d94192aca8e3158fb5.execmd.exe

description	pid	process	target process
PID 3004 wrote to memory of 2656	3004	7077ab5685f753d94192aca8e3158fb5.exe	cmd.exe
PID 3004 wrote to memory of 2656	3004	7077ab5685f753d94192aca8e3158fb5.exe	cmd.exe
PID 3004 wrote to memory of 2656	3004	7077ab5685f753d94192aca8e3158fb5.exe	cmd.exe
PID 3004 wrote to memory of 2656	3004	7077ab5685f753d94192aca8e3158fb5.exe	cmd.exe
PID 3004 wrote to memory of 2656	3004	7077ab5685f753d94192aca8e3158fb5.exe	cmd.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe
PID 2656 wrote to memory of 1804	2656	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7077ab5685f753d94192aca8e3158fb5.exe
"C:\Users\Admin\AppData\Local\Temp\7077ab5685f753d94192aca8e3158fb5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e020448
Filesize
1.1MB

MD5
2067bc4915fe76186dcb9c0f5432c608

SHA1
fff611f9712a3a7a01b81b4072f0d157ac32912c

SHA256
2f7ba6f9e552418a89e02cb66fca42f7fef9f58b8ca99030b29a1a7ebcd0299f

SHA512
18d7edb4a03e278b26323ce1dc2d76bdbdc033917b5033a78b0dda02c33a7b5ac218be63499fe26393ee8a25a7a9893e97b18c3209d9355e9c3aea93aece14c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdcbdd2
Filesize
1.1MB

MD5
560dc14e93e0928c1d9f98acf47e2e20

SHA1
f342bcc21f5c8c61ed65245152e774a85fbf0536

SHA256
ca9bfcdf5c2400c360fb62c2381a6bf737796a83662aef057ed2d859049a5cde

SHA512
2a9a99b0eb1098143505427c362775885276014f3cc9efed6dc7f447764a7240ad999b401908a8305305e0ed2a610345a41e493368f481b99e22cd4c996a7242

Download Submit
memory/1804-70-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1804-68-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1804-67-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/1804-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1804-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-13-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/2656-61-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/2656-62-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/2656-11-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/2656-66-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/3004-0-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/3004-9-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/3004-8-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download
memory/3004-7-0x0000000076D30000-0x0000000076ED9000-memory.dmp

Filesize
1.7MB

Download
memory/3004-6-0x0000000074180000-0x00000000742F4000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing