amadey | 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
Size

8.6MB
MD5

6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1

424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256

376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512

d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8
SSDEEP

98304:kHRNlpNpt3gSuDdFeznbkRBLwX1Pgedmv72Im/xAgDXMnw4bmVKAHNAXqcMHKYsN:uRrptYDdF8komd8xAUXMwIwHNvcMmN

Score

10^/10

amadey ffb1b9 trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

ffb1b9

http://proresupdate.com

Attributes

install_dir
4bbb72a446
install_file
Hkbsse.exe
strings_key
1ebbd218121948a356341fff55521237
url_paths
/h9fmdW5/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Suspicious use of SetThreadContext 1 IoCs

Processes:

6cfddd5ce9ca4bb209bd5d8c2cd80025.exe

description pid process target process

PID 3548 set thread context of 536 3548 6cfddd5ce9ca4bb209bd5d8c2cd80025.exe ftp.exe
Drops file in Windows directory 1 IoCs

Processes:

ftp.exe

description ioc process

File created C:\Windows\Tasks\TWI Cloud Host.job ftp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6cfddd5ce9ca4bb209bd5d8c2cd80025.exeftp.exe

pid process

3548 6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
3548 6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
536 ftp.exe
536 ftp.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6cfddd5ce9ca4bb209bd5d8c2cd80025.exeftp.exe

pid process

3548 6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
536 ftp.exe

description	pid	process	target process
PID 3548 set thread context of 536	3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe	ftp.exe

description	ioc	process
File created	C:\Windows\Tasks\TWI Cloud Host.job	ftp.exe

pid	process
3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
536	ftp.exe
536	ftp.exe

pid	process
3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
536	ftp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6cfddd5ce9ca4bb209bd5d8c2cd80025.exeftp.exe

description	pid	process	target process
PID 3548 wrote to memory of 536	3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe	ftp.exe
PID 3548 wrote to memory of 536	3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe	ftp.exe
PID 3548 wrote to memory of 536	3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe	ftp.exe
PID 3548 wrote to memory of 536	3548	6cfddd5ce9ca4bb209bd5d8c2cd80025.exe	ftp.exe
PID 536 wrote to memory of 1748	536	ftp.exe	explorer.exe
PID 536 wrote to memory of 1748	536	ftp.exe	explorer.exe
PID 536 wrote to memory of 1748	536	ftp.exe	explorer.exe
PID 536 wrote to memory of 1748	536	ftp.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\6cfddd5ce9ca4bb209bd5d8c2cd80025.exe
"C:\Users\Admin\AppData\Local\Temp\6cfddd5ce9ca4bb209bd5d8c2cd80025.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
PID:1748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a34791ca
Filesize
1.1MB

MD5
8d443e7cb87cacf0f589ce55599e008f

SHA1
c7ff0475a3978271e0a8417ac4a826089c083772

SHA256
e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a

SHA512
c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57fce6f
Filesize
1.1MB

MD5
461ce424566447f1cb2d1681f2d65494

SHA1
9ef6ddc3a38287ba3816285f5e5ba58d20402ad6

SHA256
a384a991d63f4f34a4158f6a187ed3b406bc2e844c8f818eca52e2b734003103

SHA512
0bcc3f343e06da216f81805c4960c69f8a5e3fac86988f55d55677f41c7fbb0c3d980ee70bcdef75489435a7140d2858ed6f863eddb3662df9754c657e90fba0

Download Submit
memory/536-21-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/536-16-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/536-24-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/536-22-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/536-15-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/536-12-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/536-14-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

Filesize
2.0MB

Download
memory/1748-25-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

Filesize
2.0MB

Download
memory/1748-26-0x0000000000470000-0x00000000004E1000-memory.dmp

Filesize
452KB

Download
memory/1748-28-0x0000000000E83000-0x0000000000E8B000-memory.dmp

Filesize
32KB

Download
memory/1748-29-0x0000000000470000-0x00000000004E1000-memory.dmp

Filesize
452KB

Download
memory/3548-6-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/3548-10-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/3548-7-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

Filesize
2.0MB

Download
memory/3548-0-0x0000000000DF0000-0x0000000001303000-memory.dmp

Filesize
5.1MB

Download
memory/3548-9-0x0000000074140000-0x00000000742BB000-memory.dmp

Filesize
1.5MB

Download
memory/3548-8-0x0000000074152000-0x0000000074154000-memory.dmp

Filesize
8KB

Download