amadey | 1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef

General

Target

1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe
Size

415KB
MD5

b54b8cd2e321a3f31a07921940c351fa
SHA1

926253e894b9afb824726e7312ac65220509acf9
SHA256

1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
SHA512

623c20242072f4ef03aed0eaacf90e9a35fabf04562d9fc6f86e653fb42e2f09df089c839402b652279fdb17dc097299d84dea6658165d54dc4cdf7deda7aa31
SSDEEP

12288:CPXaOtGpmLb84Jjzo6yDBuKuJ+ITOCV0d:C7tGpmf8edychVV0d

Score

10^/10

amadey e76b71 trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
588	axplong.exe
2868	Files.exe

Loads dropped DLL 6 IoCs

pid	Process
2556	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe
588	axplong.exe
588	axplong.exe
2824	WerFault.exe
2824	WerFault.exe
2824	WerFault.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2824	2868	WerFault.exe	33

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 588	2556	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe	30
PID 2556 wrote to memory of 588	2556	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe	30
PID 2556 wrote to memory of 588	2556	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe	30
PID 2556 wrote to memory of 588	2556	1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe	30
PID 588 wrote to memory of 2868	588	axplong.exe	33
PID 588 wrote to memory of 2868	588	axplong.exe	33
PID 588 wrote to memory of 2868	588	axplong.exe	33
PID 588 wrote to memory of 2868	588	axplong.exe	33
PID 2868 wrote to memory of 2824	2868	Files.exe	35
PID 2868 wrote to memory of 2824	2868	Files.exe	35
PID 2868 wrote to memory of 2824	2868	Files.exe	35
PID 2868 wrote to memory of 2824	2868	Files.exe	35

C:\Users\Admin\AppData\Local\Temp\1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe
"C:\Users\Admin\AppData\Local\Temp\1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe
    "C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 108
      4⤵
      Loads dropped DLL
      Program crash
      PID:2824
- - C:\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe
    "C:\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe"
    3⤵
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000160001\Files.exe

Filesize
1.3MB

MD5
90b3832d4da1a85d18c9c515cb01780e

SHA1
57a70473e3046328cdce3da7943d13c1a79fe8c5

SHA256
ba82b9708925f266c292334bc5e20e963c6e20ce134f03f79892fd5c26e645f8

SHA512
3987c88a9a30a0c1b2ca03e784e3c0631f83e5576faa3243787ab2407f1fd0f9302a538e0caccc785d308802eabaf91ded96902cab70be51482513c72cd383e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe

Filesize
768KB

MD5
dfc5e1dc55728b47587081b4c3461103

SHA1
2db90d23acd13d2f9699b4fcbfcceae1d29a3328

SHA256
a1c0e2625e6fc49b3f118627155970db80f46a4eef1b9ac3f58f9f92967a3224

SHA512
66259c081432d20aff034bf525d317ad5c166fdd5440a7020494c4a2191eb19f58ae12d19a0f95246d608ce8bcc56e7a9e37306b7b5ac0817980274e659af360

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe

Filesize
425KB

MD5
77bc6d9e0063c1d5fef8e408dcd58e66

SHA1
d28eb8fb7e31ef0b499dae82c8d4f8c291e91929

SHA256
0ab3fb508be36310391010d620b885f30ba1c4cbb596a2367bafe2f1109d4a58

SHA512
a25d6bef242452781a1e246e35a047da114dcea75d89800de4aecc9110b1fa31095192b4897bea03b353f5a04bde703b78d141a4733bbaf36614cf60745c2bbc

Download Submit
\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe

Filesize
321KB

MD5
53e433e61df83e004944ee9dcd73b80e

SHA1
775cbf1a9b795249c4d6ea8dd72a998bbdfa4dd3

SHA256
f807542df16d803584de6f0e8cfb752929a5387453ce9ab96269e6172f06f964

SHA512
75439c5034a2f689970368a4df7beed6fc11c630e044c180012fdd207453851e2b0682052a1afd3629921e0253dbc1ba308bd9eab7efadfc9ae8ef06e8bacdfe

Download Submit
\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe

Filesize
121KB

MD5
076cd85d2399622e58a554963dcdd79b

SHA1
216f761fb84836b94c6ab5b40060d3d90543fa24

SHA256
80ad6fd5a2dace0b0035d87556f75758588185a36ca33f9dc4818d30978c4b83

SHA512
43329dee39b4e958ac2dc40b7b3f60d129e1c72b86d16836f88c437eae08b8cd53187515279eab1cdd564e5e2b1f5104c59ea46ba5fdf6cd4f00e0a6e95c7da5

Download Submit
\Users\Admin\AppData\Local\Temp\1000202001\567jn7x.exe

Filesize
99KB

MD5
cdca9851f453be053af735611c5b27cf

SHA1
a4699a642d5edfdd6c090d6b419491033a012be0

SHA256
cbcc6859279de728a707adbedcaff03a1027b156e952705c6107fef9bd83f9ef

SHA512
fdf36a686f8965c84c8b4ac89bb177c972ca0742dbddd0b4451f370e2fee351a002b9d1d08e73284b84c8ff8706fb5e52df611ff8536a2e93af517a00cd22177

Download Submit
\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe

Filesize
415KB

MD5
b54b8cd2e321a3f31a07921940c351fa

SHA1
926253e894b9afb824726e7312ac65220509acf9

SHA256
1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef

SHA512
623c20242072f4ef03aed0eaacf90e9a35fabf04562d9fc6f86e653fb42e2f09df089c839402b652279fdb17dc097299d84dea6658165d54dc4cdf7deda7aa31

Download Submit
memory/588-44-0x0000000003D40000-0x0000000003EB6000-memory.dmp

Filesize
1.5MB

Download
memory/2168-45-0x0000000001160000-0x00000000012D6000-memory.dmp

Filesize
1.5MB

Download
memory/2556-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2868-27-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing