amadey | 49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0

General

Target

5ec04966ef8901ac13aa603645b3197d.exe
Size

5.1MB
MD5

5ec04966ef8901ac13aa603645b3197d
SHA1

e5263e87abb62c10a7224b598ae905858c6000de
SHA256

49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0
SHA512

0fb6c5fa4110a2abcc02d1f405b1cd7236778223b2865991baef05eeaf2314d7b57104fbd0bc0a5c263561e144434a654937b4c620c5960f83064fcf279b3d4d
SSDEEP

98304:8L1T/X3Xn/odDFr3urN2mPR1iGV1PxMNmXV7v:+vJrNNJgGV1Px+W9

Score

10^/10

amadey 9c88c6 discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

9c88c6

Attributes

install_dir
c0461fd49a
install_file
Gxtuum.exe
strings_key
1b8c0142f1804d4531696e70270c2eee
url_paths
/pLQvfD4d5/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArmourySwAgent.lnk	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 3100	4288	5ec04966ef8901ac13aa603645b3197d.exe	85

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\wbem service.job	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ec04966ef8901ac13aa603645b3197d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4288	5ec04966ef8901ac13aa603645b3197d.exe
4288	5ec04966ef8901ac13aa603645b3197d.exe
4288	5ec04966ef8901ac13aa603645b3197d.exe
4288	5ec04966ef8901ac13aa603645b3197d.exe
3100	netsh.exe
3100	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4288	5ec04966ef8901ac13aa603645b3197d.exe
3100	netsh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 3100	4288	5ec04966ef8901ac13aa603645b3197d.exe	85
PID 4288 wrote to memory of 3100	4288	5ec04966ef8901ac13aa603645b3197d.exe	85
PID 4288 wrote to memory of 3100	4288	5ec04966ef8901ac13aa603645b3197d.exe	85
PID 4288 wrote to memory of 3100	4288	5ec04966ef8901ac13aa603645b3197d.exe	85
PID 3100 wrote to memory of 1796	3100	netsh.exe	103
PID 3100 wrote to memory of 1796	3100	netsh.exe	103
PID 3100 wrote to memory of 1796	3100	netsh.exe	103
PID 3100 wrote to memory of 1796	3100	netsh.exe	103
PID 3100 wrote to memory of 1796	3100	netsh.exe	103

C:\Users\Admin\AppData\Local\Temp\5ec04966ef8901ac13aa603645b3197d.exe
"C:\Users\Admin\AppData\Local\Temp\5ec04966ef8901ac13aa603645b3197d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Drops startup file
  - Drops file in Windows directory
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25bbb8e3

Filesize
1.1MB

MD5
b3727466ec07a63846376921058eb8c2

SHA1
9d5bb92eb483453386ca6584156b1779b81d517a

SHA256
7288b5649ac5a71591da2e3e2dc8b6297160ba662f81d343cd59f271baee743e

SHA512
e49bc7f234bd9c3a9cf07a5b55c20b8a6297bec3882962ea7e314968f75dd5d0091398cedf2065eea8451d2ae4bfb554c7d32afc00e32475c62fe652c39c9227

Download Submit
C:\Users\Admin\AppData\Local\Temp\29b34513

Filesize
1.1MB

MD5
82bd272fca742c4282df6bc1787be36f

SHA1
40c6a6d0bd308b2abfa6d91a813f705a4398351c

SHA256
079d58e795e448bb8b88cd872af2d8bfdcfc5be6872b82c4b212ab9a203fdff9

SHA512
bd39e82660f66a33df88180eaebaee6c73347cf9fa70dc3ff08e847a17b0e0f3bb34622f3db84a956c3d9e9c5cbb8634c691da11f4e7538def2a46b24dba4b97

Download Submit
C:\Users\Admin\AppData\Roaming\SwAgent\ArmourySwAgent.exe

Filesize
5.1MB

MD5
5ec04966ef8901ac13aa603645b3197d

SHA1
e5263e87abb62c10a7224b598ae905858c6000de

SHA256
49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0

SHA512
0fb6c5fa4110a2abcc02d1f405b1cd7236778223b2865991baef05eeaf2314d7b57104fbd0bc0a5c263561e144434a654937b4c620c5960f83064fcf279b3d4d

Download Submit
memory/1796-41-0x0000000001210000-0x0000000001285000-memory.dmp

Filesize
468KB

Download
memory/1796-40-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/1796-37-0x0000000001210000-0x0000000001285000-memory.dmp

Filesize
468KB

Download
memory/3100-20-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/3100-38-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/3100-33-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/3100-32-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/3100-23-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/4288-9-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/4288-18-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/4288-13-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4288-12-0x0000000075450000-0x0000000075A03000-memory.dmp

Filesize
5.7MB

Download
memory/4288-11-0x0000000075463000-0x0000000075465000-memory.dmp

Filesize
8KB

Download
memory/4288-10-0x00007FFE21530000-0x00007FFE21725000-memory.dmp

Filesize
2.0MB

Download
memory/4288-0-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4288-3-0x0000000000400000-0x000000000092A000-memory.dmp

Filesize
5.2MB

Download
memory/4288-1-0x000000005FF50000-0x000000005FF51000-memory.dmp

Filesize
4KB

Download
memory/4288-2-0x000000005FF40000-0x000000005FF41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads