Malware Analysis Report

2025-03-15 03:56

Sample ID 240627-vzyz6a1hmf
Target am.exe
SHA256 cfe865ff674950f8d2bde9161d0b0a34b26b9f742022754f212077d9068a3ea4
Tags
amadey 3b29ee execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfe865ff674950f8d2bde9161d0b0a34b26b9f742022754f212077d9068a3ea4

Threat Level: Known bad

The file am.exe was found to be: Known bad.

Malicious Activity Summary

amadey 3b29ee execution trojan

Amadey

Blocklisted process makes network request

Suspicious use of SetThreadContext

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 17:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 17:26

Reported

2024-06-27 17:29

Platform

win7-20240508-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\am.exe"

Signatures

Amadey

trojan amadey

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2188 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Synapse Service.job C:\Windows\SysWOW64\more.com N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com
PID 2188 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com
PID 2188 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com
PID 2188 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com
PID 2188 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com
PID 2140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\explorer.exe
PID 2140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\explorer.exe
PID 2140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\explorer.exe
PID 2140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\explorer.exe
PID 2140 wrote to memory of 2732 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\explorer.exe
PID 2732 wrote to memory of 2828 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2828 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2828 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2828 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\am.exe

"C:\Users\Admin\AppData\Local\Temp\am.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixeldrain.com udp
NL 50.7.22.10:443 pixeldrain.com tcp
NL 50.7.22.10:443 pixeldrain.com tcp
US 8.8.8.8:53 s6.imgcdn.dev udp
US 172.67.144.147:443 s6.imgcdn.dev tcp
US 8.8.8.8:53 filesoftdownload.com udp
US 8.8.8.8:53 downloadsoftfiles.com udp
US 8.8.8.8:53 downloadfilesoft.com udp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp

Files

memory/2188-2-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c2dd8327

MD5 470247c1e7e216800f656be7ae39571c
SHA1 53565deeb9d546a943018d40447e64192348e567
SHA256 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631
SHA512 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf

memory/2188-8-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2188-9-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/2188-11-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2188-10-0x00000000745C2000-0x00000000745C4000-memory.dmp

memory/2188-12-0x00000000745B0000-0x0000000074724000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5a22110

MD5 b72579d13f716f0da989b263438792fc
SHA1 870969143c3eda315d9af28b1ffc53ae3dae900c
SHA256 561b49d39fb31c0172c8058b4e8a34669997e7afb82944fee3f4d9d326b0153d
SHA512 e3e088ab209dc1bffa001b51a66db169f58947219849d53afd88abb1d6b68264ca5466ff84dae9e741faee8e5cebd331177f8db24fe890721667514a3e47c90d

memory/2140-14-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2140-16-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/2140-17-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2140-18-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2140-23-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2140-24-0x00000000745B0000-0x0000000074724000-memory.dmp

memory/2732-26-0x0000000077820000-0x00000000779C9000-memory.dmp

memory/2732-27-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2732-29-0x0000000000C00000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/2732-54-0x0000000000400000-0x0000000000470000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 17:26

Reported

2024-06-27 17:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\am.exe"

Signatures

Amadey

trojan amadey

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 224 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Synapse Service.job C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\am.exe

"C:\Users\Admin\AppData\Local\Temp\am.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixeldrain.com udp
DE 188.241.219.191:443 pixeldrain.com tcp
US 8.8.8.8:53 s6.imgcdn.dev udp
US 172.67.144.147:443 s6.imgcdn.dev tcp
US 8.8.8.8:53 191.219.241.188.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 147.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 downloadsoftfiles.com udp
US 8.8.8.8:53 filesoftdownload.com udp
US 8.8.8.8:53 downloadfilesoft.com udp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
US 8.8.8.8:53 67.42.76.80.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/2220-2-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9ff7ebc0

MD5 470247c1e7e216800f656be7ae39571c
SHA1 53565deeb9d546a943018d40447e64192348e567
SHA256 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631
SHA512 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf

memory/2220-8-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/2220-9-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp

memory/2220-11-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/2220-10-0x00000000738D2000-0x00000000738D4000-memory.dmp

memory/2220-12-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/224-14-0x00000000738C0000-0x0000000073A3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a342daab

MD5 5102320cf5eb451f2e03371b952dbe03
SHA1 f735d3e315567b8c876587e7fc8d034cc9def31c
SHA256 1422f1021f4a52a3f79c79fbea7ce617876cbdea1d08868dca855fb1bc73434a
SHA512 613ae8871b50b122b40b2914dfd8b3e52534c519a80d632fc9df1d86834c0405df111d35549e25eb9ed17c2f91e224b3a3b1aca360420fd8eaa788bdd3823b9b

memory/224-16-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp

memory/224-17-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/224-18-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/224-23-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/224-24-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/224-26-0x00000000738C0000-0x0000000073A3B000-memory.dmp

memory/1204-27-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp

memory/1204-28-0x0000000000560000-0x00000000005D0000-memory.dmp

memory/1204-31-0x0000000000560000-0x00000000005D0000-memory.dmp

memory/1204-32-0x0000000000BC3000-0x0000000000BCB000-memory.dmp

memory/1204-33-0x0000000000560000-0x00000000005D0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-27 17:26

Reported

2024-06-27 17:28

Platform

win11-20240611-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\am.exe"

Signatures

Amadey

trojan amadey

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4148 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\Temp\am.exe C:\Windows\SysWOW64\more.com

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Synapse Service.job C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\am.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\am.exe

"C:\Users\Admin\AppData\Local\Temp\am.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pixeldrain.com udp
NL 50.7.22.10:443 pixeldrain.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.22.7.50.in-addr.arpa udp
US 104.21.39.110:443 s6.imgcdn.dev tcp
US 8.8.8.8:53 downloadfilesoft.com udp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
RU 80.76.42.67:80 downloadfilesoft.com tcp
N/A 2.22.144.81:80 tcp
N/A 192.229.221.95:80 tcp

Files

memory/4148-2-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aa36df14

MD5 470247c1e7e216800f656be7ae39571c
SHA1 53565deeb9d546a943018d40447e64192348e567
SHA256 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631
SHA512 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf

memory/4148-8-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/4148-9-0x00007FFAA2700000-0x00007FFAA2909000-memory.dmp

memory/4148-10-0x00000000735C2000-0x00000000735C4000-memory.dmp

memory/4148-11-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/4148-12-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/5040-14-0x00000000735B0000-0x000000007372D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\acc04c1f

MD5 bc9e35e7255bbc93eb9412ddbd5663d1
SHA1 892df950542d76f5307225dc3ce0405b0cd47bf8
SHA256 a6924737d029466d74eb4feab8236be00d84b16938a5f903e0783c07bda58a5d
SHA512 74cffa3575750de263ffcef3e589beb80833985800f20d51fa77c730797c4129ae6c4f1e15fc3363a12ad8935440cd90ad3d544bcbbf36c1acdac4f975ab2286

memory/5040-16-0x00007FFAA2700000-0x00007FFAA2909000-memory.dmp

memory/5040-17-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/5040-18-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/5040-23-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/5040-24-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/5040-26-0x00000000735B0000-0x000000007372D000-memory.dmp

memory/688-27-0x00007FFAA2700000-0x00007FFAA2909000-memory.dmp

memory/688-28-0x0000000000B40000-0x0000000000BB0000-memory.dmp

memory/688-30-0x0000000000B40000-0x0000000000BB0000-memory.dmp