amadey | 9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe
Size

1.0MB
MD5

c065ba22909fc8dbded4ea0eebb24ad5
SHA1

b3d61dd7519be3d2909be9ce2d28f65ec7f9965d
SHA256

9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d
SHA512

b8621a86897e0da506157225ef049e92e6c6bff9837e6e2a2b55328b6931e8bd484e57dba9d2fa532728a7e35a36918a1f699cc3a9af11d26ac1fbd4fce72814
SSDEEP

24576:vqJm/Xl+FIqBwq4QlGsljfzlE6J4zYfs6nScxy63:S4l+OqyLQHugVfDnS8y63

Score

10^/10

amadey 550eb4 discovery trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

550eb4

http://45.202.35.101

Attributes

install_dir
9d94d7e7d6
install_file
Hkbsse.exe
strings_key
ff6ff15737aa82945cf5241d1644ddb4
url_paths
/pLQvfD4d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2652 created 1272	2652	Powder.pif	21

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	Powder.pif

Loads dropped DLL 1 IoCs

pid	Process
1940	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.com
5	iplogger.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2100	tasklist.exe
2832	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powder.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	2832	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2652	Powder.pif
2652	Powder.pif
2652	Powder.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1940	2132	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe	30
PID 2132 wrote to memory of 1940	2132	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe	30
PID 2132 wrote to memory of 1940	2132	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe	30
PID 2132 wrote to memory of 1940	2132	9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe	30
PID 1940 wrote to memory of 2100	1940	cmd.exe	32
PID 1940 wrote to memory of 2100	1940	cmd.exe	32
PID 1940 wrote to memory of 2100	1940	cmd.exe	32
PID 1940 wrote to memory of 2100	1940	cmd.exe	32
PID 1940 wrote to memory of 2940	1940	cmd.exe	33
PID 1940 wrote to memory of 2940	1940	cmd.exe	33
PID 1940 wrote to memory of 2940	1940	cmd.exe	33
PID 1940 wrote to memory of 2940	1940	cmd.exe	33
PID 1940 wrote to memory of 2832	1940	cmd.exe	35
PID 1940 wrote to memory of 2832	1940	cmd.exe	35
PID 1940 wrote to memory of 2832	1940	cmd.exe	35
PID 1940 wrote to memory of 2832	1940	cmd.exe	35
PID 1940 wrote to memory of 2788	1940	cmd.exe	36
PID 1940 wrote to memory of 2788	1940	cmd.exe	36
PID 1940 wrote to memory of 2788	1940	cmd.exe	36
PID 1940 wrote to memory of 2788	1940	cmd.exe	36
PID 1940 wrote to memory of 2924	1940	cmd.exe	37
PID 1940 wrote to memory of 2924	1940	cmd.exe	37
PID 1940 wrote to memory of 2924	1940	cmd.exe	37
PID 1940 wrote to memory of 2924	1940	cmd.exe	37
PID 1940 wrote to memory of 2904	1940	cmd.exe	38
PID 1940 wrote to memory of 2904	1940	cmd.exe	38
PID 1940 wrote to memory of 2904	1940	cmd.exe	38
PID 1940 wrote to memory of 2904	1940	cmd.exe	38
PID 1940 wrote to memory of 2816	1940	cmd.exe	39
PID 1940 wrote to memory of 2816	1940	cmd.exe	39
PID 1940 wrote to memory of 2816	1940	cmd.exe	39
PID 1940 wrote to memory of 2816	1940	cmd.exe	39
PID 1940 wrote to memory of 2652	1940	cmd.exe	40
PID 1940 wrote to memory of 2652	1940	cmd.exe	40
PID 1940 wrote to memory of 2652	1940	cmd.exe	40
PID 1940 wrote to memory of 2652	1940	cmd.exe	40
PID 1940 wrote to memory of 2800	1940	cmd.exe	41
PID 1940 wrote to memory of 2800	1940	cmd.exe	41
PID 1940 wrote to memory of 2800	1940	cmd.exe	41
PID 1940 wrote to memory of 2800	1940	cmd.exe	41
PID 2652 wrote to memory of 2628	2652	Powder.pif	42
PID 2652 wrote to memory of 2628	2652	Powder.pif	42
PID 2652 wrote to memory of 2628	2652	Powder.pif	42
PID 2652 wrote to memory of 2628	2652	Powder.pif	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe
  "C:\Users\Admin\AppData\Local\Temp\9817f4d8bc1374f102196cfcb8a351abdc0563dea60f6084a7525e5ee5409b6d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Centres Centres.bat & Centres.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2940
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 103495
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "aroundaccommodategroupseverything" Fine
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Correct + ..\Transparent + ..\Barbie + ..\Gloves + ..\Latin + ..\Story + ..\Ski + ..\Appraisal n
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\103495\Powder.pif
      Powder.pif n
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2652
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & echo URL="C:\Users\Admin\AppData\Local\GuardianCrypto Systems Inc\GuardianCryptoElite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardianCryptoElite.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000132001\33.exe

Filesize
7.5MB

MD5
e071b6dd90f4c7a9d23632bfb9517925

SHA1
9ef06985e2f58c3cd0a64780819e7812d6ae849e

SHA256
70f887fea5277999b9f7c5b725a2601ea42f53c3de6f218867509057021d58be

SHA512
bd8b2c084b36f0b37f223aff83d0599affc0450ede1299efc37e5a9519cc9b26ecb209292865c06c7de29c4f3ffda070c56f956a7db7817427f2d2053b225baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\103495\n

Filesize
575KB

MD5
d61bfd64fbf003ba89a0038e38339df6

SHA1
ef8f3ea9aa749ea516e2d62ae586680c4e14d4e5

SHA256
3133dfe772afbe5ffd178038bee3ff413665ec29a5565881d63bbb5370c58af2

SHA512
56fbb30d2358297e662f19a6236c9e039d4ef78b97baf34508a04c80388483b5ee17dd2cba97a3bbbdcb4e28ce7d9322cfcab3974718c65945265591e86ba09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Appraisal

Filesize
3KB

MD5
768db4ac22081145374c24722fcc43ad

SHA1
bdb3807c1202e377300c0ba5c3583a698c37adfd

SHA256
344b4c601fd07df63377194621d87533a3afa29ff6f56190c4f64b5d9fab5b08

SHA512
d68a1343313c8f7d6ea6320fdd421a119725b2ebf71853e1726bcddda7e88812c2d018914ac9fa25ad4c236536813d33fb746e1b76e9860405025f78bdc1ddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Barbie

Filesize
67KB

MD5
001014c69a9062b0753718619b7e71e3

SHA1
5ee78ab9158525c3f2342707c29fbc8c50dc8426

SHA256
29a6f67de3f128b72f48cd17714c88ec0ef28771a242a4c6924087807d0f1182

SHA512
17bf97dfd5b44d40b0d662095d62e5af2954390de62b9791c1b1faea26c87e6427aa06b27bf7e53ddecdb7860d5b2b031da87164341fd945c320236f54fcfdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Centres

Filesize
23KB

MD5
de5800b2ad98e412afe2a7bc93dfa639

SHA1
e3d423c60e01c7c079261521b0939da80a85649a

SHA256
67d35db2809da95d2dc7e4ce76800103cbc042e2f02d1cc1934a6c06e5e6737c

SHA512
e935df1e0716ea1d5e5dcdf28e1a7cccbab533737f10ebf9dff9363e457512ebc9661ae615f06ff514ec03a1f3386e45bb98c996adf5a0fd7eedba2efec74079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Correct

Filesize
81KB

MD5
d91b8b96745f7b7d81179268d4da4b4d

SHA1
b4ad21afb4044b0c1461e1c5523d792110fb6130

SHA256
8704cb6ebe7eef39f91ca6838c2d06eb9b21ed6e6dfddc5f5707b8cb4a9f64f1

SHA512
8a036e1c23ff3c1921f5faab9bc423d7aad509e370ea1e45c31fc84e0e868e13c862cc51d14a1708b2147da6d6447e8d7cb2179e1d5ad8f33c29ce03c59af85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fine

Filesize
7KB

MD5
5a3868fbe5a6517157d7a0337c938e0a

SHA1
4e8e6c526393d3d679c93d2a57b0dca2ec0427fc

SHA256
75cb47c2bb9bededd276c0008683b7e655a9e943626d2755bfa7d7e167f2b31b

SHA512
0d1c04c9d05395ebd831ca0dc94158ca32b0b5c9c839190e00eaecd572d8ab78cdb0ec07b55afc38b8cff1d59759a73d0ae13ef7b14a2cd8089b11ffb7e53668

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gloves

Filesize
96KB

MD5
383cecc8de45b96cefdf4ce6ddbae343

SHA1
8a12728453735e74e0d633b28bdf4556d4b0af41

SHA256
a47c770a23612063f299f22871e18642b3d4668fb58765cdc279c4c0c3a23321

SHA512
3ae0ade7bd22e407cea05006c12f6f2a4a94a907919f2dee40441d019631e848e2a6c90f2ca0d16691c15a087926aac485f57e421af0d60fc5bbfcac43b36412

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latin

Filesize
89KB

MD5
ac72a864d71e31270399396cefa534e7

SHA1
c41004bcfb507028f7d109ea2cbab9a8ba5f4bd9

SHA256
f83c95dd15e4eb1b7f68946ecb8f1a689cc16cebe02ae68ebc4e08e7ab467296

SHA512
7275d5a775a4ffa64ac59f0bb350582f19549a9c2fe5b0e6686d642e6bbd4b16d21e7b4358addef096b539627d73cd39fe6a9d0377e817ca539c09cafdc95180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serious

Filesize
865KB

MD5
194a567844c46f20eabdcf8a7bf469dd

SHA1
ccc915eeaebea7ad2c5550a3ba1c917b3708c469

SHA256
c2e3adf32419b4163876794fce4ed1f2c5d631a13aaaa955f3d3e30f1eb66a13

SHA512
bb5be430767c176aff3a5d3bfbe039cd67edba0246f3c51d302fd08d4be19def43f7e6363d187aed454cd84f960dea90746b7b6eda525e3e4d67fa05b8ba3a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ski

Filesize
91KB

MD5
08342a0886a607763230cc9e7f9763e9

SHA1
edbea1401b8653fed918c0e6adbaf9e6271bec52

SHA256
f7ad68ce94df8b242fc3f6e9bd7814a16011214952805ed5e8e6adef74a27f48

SHA512
d2e319dd4e914dfb6f4399bc8527b4d1c764a02c4d5bdc8735f6ce9a46614622568692dab02122c47b75d8b970f0418de17ff08a8032b8f92fcf7e67d0259341

Download Submit
C:\Users\Admin\AppData\Local\Temp\Story

Filesize
72KB

MD5
99e977093bc7ab3360cbc1146d0ee20c

SHA1
ad950626c995af3bbe62e9ac187fa7cabda406ad

SHA256
c1551d0d3d6c658c1b55558c4fdb2b1be9233715b63485997c935c434bd570e7

SHA512
c148e1d0374611a19d6724eb7337a93899cfb4db9d040f3541a47ac35947098860bca1a9ec16e7b479e1aa98a258209e969459b2546700b462d18376b868b8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transparent

Filesize
76KB

MD5
0b034950e941768616af2eba4f9d4000

SHA1
a50f20a10e8df21a1b2c1655f9f300c31d2ebed3

SHA256
d9aea2aad680efcd111b992b6124e72f6ba2feb178867d1c5f5167a21423bd4e

SHA512
ec0fdfe281ccba186991dc872eeda99ec0efec5c4f8b2cbfaaa7cefc5248b08e071189934600a8eedfca804bcdf78f108778ce9a3b5f15c80bd80d77a1651965

Download Submit
\Users\Admin\AppData\Local\Temp\103495\Powder.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2652-54-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-53-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-52-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-57-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-56-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-55-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-58-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download
memory/2652-67-0x00000000057A0000-0x000000000580F000-memory.dmp

Filesize
444KB

Download