amadey | 751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7077ab5685f753d94192aca8e3158fb5.exe
Size

6.2MB
MD5

7077ab5685f753d94192aca8e3158fb5
SHA1

a73f1b79f6a1fccc0cb4f10b875a0b5a0182dc90
SHA256

751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2
SHA512

64001b470b17434a051b64477955175f5c35db89761477dd5473f8229e6b141a252ab0ed0cef6655135be4fa70f13313475a427195e3013a7a2c061cd260ef26
SSDEEP

98304:Xrxkmr7CWoqbb4ngAFGw7WClREnjwaeSkMc88QS+qE0AaG8MlftjxeUZH:XKyzoLgkW4RmKMcJWqE0AaGxftjx/Z

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.19

http://creationofprogress.com

Attributes

install_dir
603179bf2d
install_file
Dctooux.exe
strings_key
e6d1abb3e9573b823ce443b691fcda47
url_paths
/8BvxwQdec3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 1208	3096	7077ab5685f753d94192aca8e3158fb5.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3096	7077ab5685f753d94192aca8e3158fb5.exe
3096	7077ab5685f753d94192aca8e3158fb5.exe
1208	cmd.exe
1208	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3096	7077ab5685f753d94192aca8e3158fb5.exe
1208	cmd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 1208	3096	7077ab5685f753d94192aca8e3158fb5.exe	89
PID 3096 wrote to memory of 1208	3096	7077ab5685f753d94192aca8e3158fb5.exe	89
PID 3096 wrote to memory of 1208	3096	7077ab5685f753d94192aca8e3158fb5.exe	89
PID 3096 wrote to memory of 1208	3096	7077ab5685f753d94192aca8e3158fb5.exe	89
PID 1208 wrote to memory of 3600	1208	cmd.exe	105
PID 1208 wrote to memory of 3600	1208	cmd.exe	105
PID 1208 wrote to memory of 3600	1208	cmd.exe	105
PID 1208 wrote to memory of 3600	1208	cmd.exe	105
PID 1208 wrote to memory of 3600	1208	cmd.exe	105
PID 1208 wrote to memory of 3600	1208	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\7077ab5685f753d94192aca8e3158fb5.exe
"C:\Users\Admin\AppData\Local\Temp\7077ab5685f753d94192aca8e3158fb5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\add78427

Filesize
1.1MB

MD5
2067bc4915fe76186dcb9c0f5432c608

SHA1
fff611f9712a3a7a01b81b4072f0d157ac32912c

SHA256
2f7ba6f9e552418a89e02cb66fca42f7fef9f58b8ca99030b29a1a7ebcd0299f

SHA512
18d7edb4a03e278b26323ce1dc2d76bdbdc033917b5033a78b0dda02c33a7b5ac218be63499fe26393ee8a25a7a9893e97b18c3209d9355e9c3aea93aece14c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0f1a0f0

Filesize
1.1MB

MD5
ce64db9cb00fafb3d29a69159dbdf713

SHA1
2066e9c7eb42a4303be3890b7c03dcd05c9af5b0

SHA256
928c03ae29a2051953b8325d9e2ba537670411643bc645ebaf20591df5c5d5a4

SHA512
7e3b1150acb8ef46d7d4cacca6b953f53d0d33d3a994760bc66ebba9e01198e7cf3679ad9828d2fa98a0f1b6ea49a5960228f0e9f6a36029eebd50a7551200a0

Download Submit
memory/1208-22-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/1208-12-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/1208-18-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/1208-17-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/1208-14-0x00007FFE05850000-0x00007FFE05A45000-memory.dmp

Filesize
2.0MB

Download
memory/3096-10-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/3096-6-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/3096-7-0x00007FFE05850000-0x00007FFE05A45000-memory.dmp

Filesize
2.0MB

Download
memory/3096-9-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/3096-8-0x0000000074930000-0x0000000074AAB000-memory.dmp

Filesize
1.5MB

Download
memory/3096-0-0x0000000000940000-0x0000000000BAB000-memory.dmp

Filesize
2.4MB

Download
memory/3600-23-0x00007FFE05850000-0x00007FFE05A45000-memory.dmp

Filesize
2.0MB

Download
memory/3600-24-0x00000000000C0000-0x000000000012F000-memory.dmp

Filesize
444KB

Download
memory/3600-26-0x00000000000C0000-0x000000000012F000-memory.dmp

Filesize
444KB

Download