amadey | d9af261e2d79a7e6a13a86cda68e50f267129695ae2abb5ba92df720ac32a0b7

General

Target

LisectAVT_2403002A_201.exe
Size

9.2MB
MD5

e07a8dd6ca20053ba2a90cf52be73e43
SHA1

1a42c89ca50559c1a0668a8a8d31f0ce49620c05
SHA256

d9af261e2d79a7e6a13a86cda68e50f267129695ae2abb5ba92df720ac32a0b7
SHA512

97a8bad9c962a40ea2c9f5dd770962e84e4d9cad0ca95a87e7e202c84ab4773559b5d5ad025594b4a11f68b87ce2898837d26ab700d4ed62e92eea5a535f3b57
SSDEEP

196608:h6UDQWmkC75MSrTfm/E2nTOqyf39XHRRcV:/O7t/TeVnT3G3VHRS

Score

10^/10

amadey hijackloader 8a2f5d discovery loader trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

8a2f5d

C2

http://fastestfreecdn.com

Attributes

install_dir
881c8a9dda
install_file
Dctooux.exe
strings_key
ebf317c42a152243f9fc9b81833d775c
url_paths
/7vAficZogD/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/memory/1824-13-0x0000000000400000-0x0000000000D35000-memory.dmp	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 2852	1824	LisectAVT_2403002A_201.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002A_201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	LisectAVT_2403002A_201.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	LisectAVT_2403002A_201.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1824	LisectAVT_2403002A_201.exe
1824	LisectAVT_2403002A_201.exe
2852	cmd.exe
2852	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1824	LisectAVT_2403002A_201.exe
2852	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2852	1824	LisectAVT_2403002A_201.exe	30
PID 1824 wrote to memory of 2852	1824	LisectAVT_2403002A_201.exe	30
PID 1824 wrote to memory of 2852	1824	LisectAVT_2403002A_201.exe	30
PID 1824 wrote to memory of 2852	1824	LisectAVT_2403002A_201.exe	30
PID 1824 wrote to memory of 2852	1824	LisectAVT_2403002A_201.exe	30
PID 2852 wrote to memory of 2900	2852	cmd.exe	34
PID 2852 wrote to memory of 2900	2852	cmd.exe	34
PID 2852 wrote to memory of 2900	2852	cmd.exe	34
PID 2852 wrote to memory of 2900	2852	cmd.exe	34
PID 2852 wrote to memory of 2900	2852	cmd.exe	34
PID 2852 wrote to memory of 2900	2852	cmd.exe	34
PID 2852 wrote to memory of 2900	2852	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_201.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_201.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\815bc700

Filesize
1.1MB

MD5
7a02d98c823d515df86e19868214ca49

SHA1
56f7a5e6b490d0b656ecb6682b5fd5bf08c8869d

SHA256
7c41e56451f6f89f09ea39db587327866cd612db6cb714216c254ef2694cc4d6

SHA512
084664f1d54abba6268c1eaea9bcd1cd322ca799192d59c22656498660bfa9a5985f9139eeba3daac8e47f380bfe56fd606745f22d625c2d9721a48074fa1d1b

Download Submit
memory/1824-14-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1824-15-0x0000000077B10000-0x0000000077CB9000-memory.dmp

Filesize
1.7MB

Download
memory/1824-16-0x0000000074AF2000-0x0000000074AF3000-memory.dmp

Filesize
4KB

Download
memory/1824-17-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1824-18-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1824-13-0x0000000000400000-0x0000000000D35000-memory.dmp

Filesize
9.2MB

Download
memory/2852-22-0x0000000077B10000-0x0000000077CB9000-memory.dmp

Filesize
1.7MB

Download
memory/2852-20-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2852-70-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2852-71-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2852-75-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2900-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-76-0x0000000077B10000-0x0000000077CB9000-memory.dmp

Filesize
1.7MB

Download
memory/2900-77-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2900-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing