amadey | 5fa605bf9666dc9486a83737d1f77e241bb27a033e609625499f17dbf608e840

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

am.exe
Size

8.1MB
MD5

31fd3d2bdee0fd45c35273bebe4907fa
SHA1

e464d8d3e5a16c0484ecb40e0599a3b4ad1e3f21
SHA256

5fa605bf9666dc9486a83737d1f77e241bb27a033e609625499f17dbf608e840
SHA512

5a5558811d5a167db43a0a96679f253c3692921e59bc61708a66f6f55458441bb3c3bdc24896eefabd5f2edfb6c87b87be520bd8abd29b0428d831d24ae947b9
SSDEEP

196608:Z0SPWFEHfuhw52hhflik2kYrq/d/wNHP7as4v:Zgqfuhw0hmZry4NesG

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.19

http://bestofthebesttraining.com

Attributes

install_dir
763b1308d2
install_file
Dctooux.exe
strings_key
039c1d21f5b79a4ad9168019f3454a0c
url_paths
/8BvxwQdec3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Suspicious use of SetThreadContext 1 IoCs

Processes:

am.exe

description pid process target process

PID 2192 set thread context of 2520 2192 am.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

am.execmd.exe

pid process

2192 am.exe
2192 am.exe
2520 cmd.exe
2520 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

am.execmd.exe

pid process

2192 am.exe
2520 cmd.exe

description	pid	process	target process
PID 2192 set thread context of 2520	2192	am.exe	cmd.exe

pid	process
2192	am.exe
2192	am.exe
2520	cmd.exe
2520	cmd.exe

pid	process
2192	am.exe
2520	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

am.execmd.exe

description	pid	process	target process
PID 2192 wrote to memory of 2520	2192	am.exe	cmd.exe
PID 2192 wrote to memory of 2520	2192	am.exe	cmd.exe
PID 2192 wrote to memory of 2520	2192	am.exe	cmd.exe
PID 2192 wrote to memory of 2520	2192	am.exe	cmd.exe
PID 2192 wrote to memory of 2520	2192	am.exe	cmd.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe
PID 2520 wrote to memory of 2676	2520	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9925fdd7
Filesize
1.2MB

MD5
c47b3e59f451975dd277c637e1636f43

SHA1
a86a805c219806a82352d76a6a89dbc61334e3b4

SHA256
d36db54ce9a87b04c1f60954f43c5adb5c88e52241e20e33460471567618bff1

SHA512
65aac733d4528de6fc55b725680b7cea3b3382e811552d12054b557c624d3c75612960fcf6e135fede47149e628c1ddb2b3c65ff1ce38cfc742c2d1f065c4742

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c25f21e
Filesize
1.1MB

MD5
557f3a137fe631641ba26a9a97f624ff

SHA1
fc3bd0e901b1e64f5b655b30d3a4e7fa1f37cbf2

SHA256
71b1a7177b2f38ff9f90e1ebe01a9fadd28b91717d11f1019caa33de38736cdc

SHA512
656e8c217738037a03d2698c88decd0a9773d623036092157eb220a2600caca256c25c286a88f73f2d8d433c269c5323d0a0c8a2bd28140c8c9adc426d26c5bc

Download Submit
memory/2192-6-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2192-7-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/2192-8-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2192-9-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2192-0-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/2520-13-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/2520-11-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2520-61-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2520-62-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2520-66-0x0000000074C90000-0x0000000074E04000-memory.dmp

Filesize
1.5MB

Download
memory/2676-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-67-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/2676-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2676-70-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download