amadey | 6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba

Resubmissions

14/05/2024, 15:49

240514-s9tr3sde77 10

13/05/2024, 14:12

240513-rh5vlahg9z 10

Analysis

max time kernel
125s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 14:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe
Size

218KB
MD5

aa9fa7808dca4fd4cadab28cabbc3266
SHA1

1a45810526df332dba5003d0627d1c14bf5183ed
SHA256

6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba
SHA512

a5aa58e5832410d68ad8c2c0f2fd58a496ef5e79b97fe728259993b81f13bc7ef77ec26faf0410f9fa88037fcd87ca09d699ca64d7aa8b11dab83f0f42c5df5a
SSDEEP

6144:Q/31H3YucxpcxoLebwlAsUy8F0WEutMVPdKET:QFmxCxoakeLyw0WEutMV

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.20

http://dhisa8f9ah02hopasiaf.com

http://happyday9risce.com

http://xksldjf9sksdjfks.com

Attributes

install_dir
a10b8dfb5f
install_file
orxds.exe
strings_key
6768875d0dd576a718d85aa1d71d25c1
url_paths
/gg4mn3s/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1744	orxds.exe
3052	orxds.exe
328	orxds.exe

Loads dropped DLL 1 IoCs

pid	Process
1312	6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2576	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1744	1312	6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe	28
PID 1312 wrote to memory of 1744	1312	6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe	28
PID 1312 wrote to memory of 1744	1312	6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe	28
PID 1312 wrote to memory of 1744	1312	6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe	28
PID 1744 wrote to memory of 2964	1744	orxds.exe	29
PID 1744 wrote to memory of 2964	1744	orxds.exe	29
PID 1744 wrote to memory of 2964	1744	orxds.exe	29
PID 1744 wrote to memory of 2964	1744	orxds.exe	29
PID 1744 wrote to memory of 2576	1744	orxds.exe	31
PID 1744 wrote to memory of 2576	1744	orxds.exe	31
PID 1744 wrote to memory of 2576	1744	orxds.exe	31
PID 1744 wrote to memory of 2576	1744	orxds.exe	31
PID 2964 wrote to memory of 2792	2964	cmd.exe	33
PID 2964 wrote to memory of 2792	2964	cmd.exe	33
PID 2964 wrote to memory of 2792	2964	cmd.exe	33
PID 2964 wrote to memory of 2792	2964	cmd.exe	33
PID 2520 wrote to memory of 3052	2520	taskeng.exe	36
PID 2520 wrote to memory of 3052	2520	taskeng.exe	36
PID 2520 wrote to memory of 3052	2520	taskeng.exe	36
PID 2520 wrote to memory of 3052	2520	taskeng.exe	36
PID 2520 wrote to memory of 328	2520	taskeng.exe	42
PID 2520 wrote to memory of 328	2520	taskeng.exe	42
PID 2520 wrote to memory of 328	2520	taskeng.exe	42
PID 2520 wrote to memory of 328	2520	taskeng.exe	42

C:\Users\Admin\AppData\Local\Temp\6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe
"C:\Users\Admin\AppData\Local\Temp\6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
  "C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2576

C:\Windows\system32\taskeng.exe
taskeng.exe {B067BDFB-540C-4C43-84A7-CDC4CCB033F1} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
  C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
  C:\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe
  2⤵
  - Executes dropped EXE
  PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\706698469400

Filesize
65KB

MD5
123e8b8fd4266998e75f0dd22f440463

SHA1
dc6ab9a93e0293128c7b96843e19213d0eab8d7c

SHA256
c6d33176220d05ee9cf4ca25de48834fe9db233cb41dd6a1d560a4e3c72d1b62

SHA512
fc6f4ab7b4ad7dbab06ffd9feff78bf79a19fb5b55890ba8f213b1dd08f4cc20871792cc8dfc97f28bbe620d0ea73d63fe608717ceb5ebd2c4119d7104a625fc

Download Submit
\Users\Admin\AppData\Local\Temp\a10b8dfb5f\orxds.exe

Filesize
218KB

MD5
aa9fa7808dca4fd4cadab28cabbc3266

SHA1
1a45810526df332dba5003d0627d1c14bf5183ed

SHA256
6e01f9d1997186d06274a508bc0a511aa6fb50e430b77efca593c00d3fc62cba

SHA512
a5aa58e5832410d68ad8c2c0f2fd58a496ef5e79b97fe728259993b81f13bc7ef77ec26faf0410f9fa88037fcd87ca09d699ca64d7aa8b11dab83f0f42c5df5a

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads