amadey | 73c8c6f74db38fbcf64f7262bce4d397b86aca9444650d7e4f347b0606b1a78f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 11:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

load_security.exe
Size

16.2MB
MD5

41e8a14eb9ad7c9f656065bef52df9d7
SHA1

735adabfcf3943d590717609d0058c8edd860073
SHA256

73c8c6f74db38fbcf64f7262bce4d397b86aca9444650d7e4f347b0606b1a78f
SHA512

2412062cf4db8f6d0f22dd96b64f73a85eace2f1ee36ebd0c8e9a895aa033a90d29153f9d11b282b0852a557c64d1f071d1e03c5a13cf8f61bf89ac3e1a6cca6
SSDEEP

196608:z0bq45mXYPrOLaw1VXyYgqd3g6V+xqoS/nWsSRCou7GXIaHZZ:Ibq4oojOLauyNqdw6QxqoQAL

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.19

http://185.42.163.120

Attributes

install_dir
523396b48f
install_file
Dctooux.exe
strings_key
18dd67cb11d29c8641cb5acf7e8a715f
url_paths
/8bjndDcoA3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 2 IoCs

pid	Process
2524	ptSrv.exe
3696	ptSrv.exe

Loads dropped DLL 14 IoCs

pid	Process
2524	ptSrv.exe
2524	ptSrv.exe
2524	ptSrv.exe
2524	ptSrv.exe
2524	ptSrv.exe
2524	ptSrv.exe
2524	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	load_security.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 1456	3696	ptSrv.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ptSrv.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	ptSrv.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ptSrv.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	ptSrv.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4824	load_security.exe
4824	load_security.exe
2524	ptSrv.exe
3696	ptSrv.exe
3696	ptSrv.exe
1456	cmd.exe
1456	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3696	ptSrv.exe
1456	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2524	ptSrv.exe
Token: SeTakeOwnershipPrivilege	2524	ptSrv.exe
Token: SeTakeOwnershipPrivilege	3696	ptSrv.exe
Token: SeTakeOwnershipPrivilege	3696	ptSrv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2524	4824	load_security.exe	91
PID 4824 wrote to memory of 2524	4824	load_security.exe	91
PID 4824 wrote to memory of 2524	4824	load_security.exe	91
PID 2524 wrote to memory of 3696	2524	ptSrv.exe	92
PID 2524 wrote to memory of 3696	2524	ptSrv.exe	92
PID 2524 wrote to memory of 3696	2524	ptSrv.exe	92
PID 3696 wrote to memory of 1456	3696	ptSrv.exe	96
PID 3696 wrote to memory of 1456	3696	ptSrv.exe	96
PID 3696 wrote to memory of 1456	3696	ptSrv.exe	96
PID 3696 wrote to memory of 1456	3696	ptSrv.exe	96
PID 1456 wrote to memory of 3180	1456	cmd.exe	104
PID 1456 wrote to memory of 3180	1456	cmd.exe	104
PID 1456 wrote to memory of 3180	1456	cmd.exe	104
PID 1456 wrote to memory of 3180	1456	cmd.exe	104
PID 1456 wrote to memory of 3180	1456	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\load_security.exe
"C:\Users\Admin\AppData\Local\Temp\load_security.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\hostbrowser\ptSrv.exe
  C:\Users\Admin\AppData\Local\Temp\hostbrowser\ptSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\hostbrowser\ptSrv.exe
    C:\Users\Admin\AppData\Roaming\hostbrowser\ptSrv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\132431369515

Filesize
83KB

MD5
527ab931c83acfa6781d4f900a90aeee

SHA1
99abff1008e079f6e3955c62a01868c87ad79d78

SHA256
c020912f8abfd64d8b10483ab43997a0ea5234b6153f12ddc69a72381184f8a6

SHA512
13549f568d85c84ac4884ca35ed138e4a7d38383c06bcfed7bec5aa862a554a82148adf6025cd4431fe94cc9fd09dace26d91270478026403e3b32c7b2f453b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\82b5e52a

Filesize
4.6MB

MD5
53d2d1105bbaff2fbb6edd180e7f5d5a

SHA1
6a5507b71c765ff304bef9128443a84042b0b860

SHA256
c07614030a0034f1627d96c75f16c90ee5bbc26c2131a60d30d94931d2d56584

SHA512
c3a13de6f8a59216bec4cfdfd0223e338c6cf3466ab8c00874946216ebdbbcac178db962512355bef43c2e4b2b1be7167acefd45cc811163c57e27ea41adcf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\90afe4a0

Filesize
1.1MB

MD5
1b410da069aa34d7238e0b3a29942285

SHA1
9dca5a06e8d4e8c4fd8cf6128d0f6cf4f264f3a0

SHA256
d3960652a68c2fa8437485c8791f6f557ec50922addb64db2ffd0e50c65c722b

SHA512
3195361e9dc9f180d3aebf5bf84b8675e540d8ed2ef3ab48944efa742211c09277db010ae3190611b7ac1642afeca348482c77ebf612e7b8a90e35e00a361e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\MSVCP140.dll

Filesize
427KB

MD5
71a0aa2d05e9174cefd568347bd9c70f

SHA1
cb9247a0fa59e47f72df7d1752424b33a903bbb2

SHA256
fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

SHA512
6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\VCRUNTIME140.dll

Filesize
81KB

MD5
16b26bc43943531d7d7e379632ed4e63

SHA1
565287de39649e59e653a3612478c2186096d70a

SHA256
346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

SHA512
b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\WCLDll.dll

Filesize
590KB

MD5
b3e030ab715a02f8864a79f552a247b7

SHA1
4b1c18370b6e8a69c5f8b3ff543375f74e6e58fa

SHA256
2a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955

SHA512
cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\audiovisual.psd

Filesize
1000KB

MD5
e376486296d42acb961dde07c31580cb

SHA1
545dd607ad0aacaf4c3e2f571b22739d458a52f2

SHA256
d188965a5b07969d9a1891825e5da6fa75fad3b43c2d114d8723e570ca2e3b74

SHA512
5029503be73877b1523bc7f09db3c0e7c101d6a065651af839b3414724f8afd04ebbeb7264c5bb16c2ab39392bc81b1df72fde72c87985ae158605cb6ae5974a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\cyclopedia.html

Filesize
28KB

MD5
db3f3969e8a2f913fe3643d8465171b1

SHA1
736095ea1e02547a6df2586fffdbf31bb7d23656

SHA256
c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043

SHA512
0a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\ptMgr.dll

Filesize
2.5MB

MD5
2087eb2d3fb639933ebe0a0614fd5218

SHA1
c1a1b75c8e76e000b7045092bd11100904a72840

SHA256
725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f

SHA512
3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\ptSrv.exe

Filesize
202KB

MD5
64179e64675e822559cac6652298bdfc

SHA1
cceed3b2441146762512918af7bf7f89fb055583

SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\ptusredt.dll

Filesize
165KB

MD5
3c3e960d59cb413791fee1e944b6df72

SHA1
4aa6c90d81692642ca8266bf0d8e249ff3e3ad54

SHA256
88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

SHA512
85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostbrowser\wbxtrace.dll

Filesize
103KB

MD5
c2b06a78b6c07a1371b6aed1dbf4fc37

SHA1
b8847693e7cd3637b1b400e71430cdf629de2e64

SHA256
9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04

SHA512
219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411

Download Submit
memory/1456-83-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/1456-78-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/1456-86-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/1456-84-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/1456-80-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/2524-43-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/2524-44-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/3180-88-0x0000000000190000-0x0000000000201000-memory.dmp

Filesize
452KB

Download
memory/3180-87-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/3180-102-0x0000000000190000-0x0000000000201000-memory.dmp

Filesize
452KB

Download
memory/3180-96-0x0000000000190000-0x0000000000201000-memory.dmp

Filesize
452KB

Download
memory/3180-95-0x0000000000190000-0x0000000000201000-memory.dmp

Filesize
452KB

Download
memory/3180-90-0x0000000000C60000-0x0000000001093000-memory.dmp

Filesize
4.2MB

Download
memory/3696-74-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/3696-72-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/3696-73-0x00007FF8B9650000-0x00007FF8B9845000-memory.dmp

Filesize
2.0MB

Download
memory/3696-76-0x0000000073C40000-0x0000000073DBB000-memory.dmp

Filesize
1.5MB

Download
memory/4824-25-0x00007FF89A7E0000-0x00007FF89A952000-memory.dmp

Filesize
1.4MB

Download
memory/4824-0-0x00007FF687480000-0x00007FF6884DD000-memory.dmp

Filesize
16.4MB

Download
memory/4824-8-0x00007FF89A7E0000-0x00007FF89A952000-memory.dmp

Filesize
1.4MB

Download
memory/4824-6-0x00007FF89A7E0000-0x00007FF89A952000-memory.dmp

Filesize
1.4MB

Download
memory/4824-75-0x00007FF89A7E0000-0x00007FF89A952000-memory.dmp

Filesize
1.4MB

Download