Malware Analysis Report

2025-03-15 03:56

Sample ID 240627-v39wtsthkn
Target am.exe
SHA256 cfe865ff674950f8d2bde9161d0b0a34b26b9f742022754f212077d9068a3ea4
Tags
amadey 3b29ee trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfe865ff674950f8d2bde9161d0b0a34b26b9f742022754f212077d9068a3ea4

Threat Level: Known bad

The file am.exe was found to be: Known bad.

Malicious Activity Summary

amadey 3b29ee trojan

Amadey

Suspicious use of SetThreadContext

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-27 17:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 17:32

Reported

2024-06-27 17:34

Platform

win7-20240508-en

Max time kernel

147s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\am.exe"

Signatures

Amadey

trojan amadey

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1736 set thread context of 2268 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Synapse Service.job C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\am.exe

"C:\Users\Admin\AppData\Local\Temp\am.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixeldrain.com udp
DE 188.241.219.191:443 pixeldrain.com tcp
DE 188.241.219.191:443 pixeldrain.com tcp
US 8.8.8.8:53 s6.imgcdn.dev udp
US 104.21.39.110:443 s6.imgcdn.dev tcp
US 8.8.8.8:53 downloadfilesoft.com udp
US 8.8.8.8:53 downloadsoftfiles.com udp
US 8.8.8.8:53 filesoftdownload.com udp
RU 80.76.42.67:80 filesoftdownload.com tcp
RU 80.76.42.67:80 filesoftdownload.com tcp
RU 80.76.42.67:80 filesoftdownload.com tcp

Files

memory/1736-2-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a81d6375

MD5 470247c1e7e216800f656be7ae39571c
SHA1 53565deeb9d546a943018d40447e64192348e567
SHA256 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631
SHA512 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf

memory/1736-8-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/1736-9-0x0000000077B70000-0x0000000077D19000-memory.dmp

memory/1736-10-0x0000000074912000-0x0000000074914000-memory.dmp

memory/1736-11-0x0000000074900000-0x0000000074A74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ab261854

MD5 59c69df5e2c415949b64650995c73a16
SHA1 d4e5ff0c442c90359f324dbc8b9b908152dfaa27
SHA256 5136196102777023f871472133c93c943d9c1c4eb4e60eced18fd967efdd70fb
SHA512 b532df9abf2ad1cf5b4a405723457389dcb5bdd00c70dee57388ad1eeab51decd006c1a6c8c2f6f5f5092f67442fcc407fe470e758937bfd162cbdc4fcd94145

memory/1736-12-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/2268-15-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/2268-16-0x0000000077B70000-0x0000000077D19000-memory.dmp

memory/2268-17-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/2268-18-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/2268-23-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/2268-24-0x0000000074900000-0x0000000074A74000-memory.dmp

memory/2552-26-0x0000000077B70000-0x0000000077D19000-memory.dmp

memory/2552-27-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2552-29-0x0000000000540000-0x0000000000548000-memory.dmp

memory/2552-30-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 17:32

Reported

2024-06-27 17:34

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\am.exe"

Signatures

Amadey

trojan amadey

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1148 set thread context of 2972 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Synapse Service.job C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\am.exe

"C:\Users\Admin\AppData\Local\Temp\am.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixeldrain.com udp
NL 50.7.236.50:443 pixeldrain.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 s6.imgcdn.dev udp
US 172.67.144.147:443 s6.imgcdn.dev tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 50.236.7.50.in-addr.arpa udp
US 8.8.8.8:53 147.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 filesoftdownload.com udp
US 8.8.8.8:53 downloadsoftfiles.com udp
US 8.8.8.8:53 downloadfilesoft.com udp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
US 8.8.8.8:53 67.42.76.80.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.242.123.52.in-addr.arpa udp

Files

memory/1148-2-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c369b7fa

MD5 470247c1e7e216800f656be7ae39571c
SHA1 53565deeb9d546a943018d40447e64192348e567
SHA256 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631
SHA512 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf

memory/1148-8-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/1148-9-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/1148-10-0x0000000073C42000-0x0000000073C44000-memory.dmp

memory/1148-11-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/1148-12-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/2972-14-0x0000000073C30000-0x0000000073DAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c64ea66d

MD5 50f9a8830f0ae8e973d03b7bd1bb5356
SHA1 5f3b45271a2c2a694cafd251d55b59d93622a7ec
SHA256 9de13fff394b19f5fcab3833d02cd401558f561990b9cbabab22a1766b677400
SHA512 21110788ecaaa1e443414d78b923750921fe1ffd586d2f8c6348d65a15b4ac6a84be369b76e077b357c4adbaceb2bbe7363b99053ded46711a5405c2429f7fc9

memory/2972-16-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/2972-17-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/2972-18-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/2972-23-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/2972-24-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/2972-26-0x0000000073C30000-0x0000000073DAB000-memory.dmp

memory/2620-27-0x00007FFB5EE70000-0x00007FFB5F065000-memory.dmp

memory/2620-28-0x0000000000550000-0x00000000005C0000-memory.dmp

memory/2620-31-0x0000000000550000-0x00000000005C0000-memory.dmp

memory/2620-32-0x0000000000CE3000-0x0000000000CEB000-memory.dmp

memory/2620-33-0x0000000000550000-0x00000000005C0000-memory.dmp