amadey | 49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0

General

Target

5ec04966ef8901ac13aa603645b3197d.exe
Size

5.1MB
MD5

5ec04966ef8901ac13aa603645b3197d
SHA1

e5263e87abb62c10a7224b598ae905858c6000de
SHA256

49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0
SHA512

0fb6c5fa4110a2abcc02d1f405b1cd7236778223b2865991baef05eeaf2314d7b57104fbd0bc0a5c263561e144434a654937b4c620c5960f83064fcf279b3d4d
SSDEEP

98304:8L1T/X3Xn/odDFr3urN2mPR1iGV1PxMNmXV7v:+vJrNNJgGV1Px+W9

Score

10^/10

amadey 9c88c6 discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

9c88c6

Attributes

install_dir
c0461fd49a
install_file
Gxtuum.exe
strings_key
1b8c0142f1804d4531696e70270c2eee
url_paths
/pLQvfD4d5/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArmourySwAgent.lnk	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 3656	2608	5ec04966ef8901ac13aa603645b3197d.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\wbem service.job	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ec04966ef8901ac13aa603645b3197d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2608	5ec04966ef8901ac13aa603645b3197d.exe
2608	5ec04966ef8901ac13aa603645b3197d.exe
2608	5ec04966ef8901ac13aa603645b3197d.exe
2608	5ec04966ef8901ac13aa603645b3197d.exe
3656	netsh.exe
3656	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2608	5ec04966ef8901ac13aa603645b3197d.exe
3656	netsh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 3656	2608	5ec04966ef8901ac13aa603645b3197d.exe	83
PID 2608 wrote to memory of 3656	2608	5ec04966ef8901ac13aa603645b3197d.exe	83
PID 2608 wrote to memory of 3656	2608	5ec04966ef8901ac13aa603645b3197d.exe	83
PID 2608 wrote to memory of 3656	2608	5ec04966ef8901ac13aa603645b3197d.exe	83
PID 3656 wrote to memory of 2116	3656	netsh.exe	101
PID 3656 wrote to memory of 2116	3656	netsh.exe	101
PID 3656 wrote to memory of 2116	3656	netsh.exe	101
PID 3656 wrote to memory of 2116	3656	netsh.exe	101
PID 3656 wrote to memory of 2116	3656	netsh.exe	101

C:\Users\Admin\AppData\Local\Temp\5ec04966ef8901ac13aa603645b3197d.exe
"C:\Users\Admin\AppData\Local\Temp\5ec04966ef8901ac13aa603645b3197d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\SysWOW64\netsh.exe
  2⤵
  - Drops startup file
  - Drops file in Windows directory
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4e7cd6f

Filesize
1.1MB

MD5
b3727466ec07a63846376921058eb8c2

SHA1
9d5bb92eb483453386ca6584156b1779b81d517a

SHA256
7288b5649ac5a71591da2e3e2dc8b6297160ba662f81d343cd59f271baee743e

SHA512
e49bc7f234bd9c3a9cf07a5b55c20b8a6297bec3882962ea7e314968f75dd5d0091398cedf2065eea8451d2ae4bfb554c7d32afc00e32475c62fe652c39c9227

Download Submit
C:\Users\Admin\AppData\Local\Temp\d899a43e

Filesize
1.1MB

MD5
56a5399fc2b0a749c91d0816904744e3

SHA1
94b34a8751f613ecacf99c5c522a1ae5286e7fc0

SHA256
f61f8b28238029113290edc22429ab746cde66e0319fd0bad172d9ea36f9aa5d

SHA512
82c775173de1d07ebf8ee7593f1720414c977cefda4ba21e6be0f3a8cb89638e59701b4a23aef8401e980e566ec6964d35ef5de6ebe5eff311c44421bbf26244

Download Submit
C:\Users\Admin\AppData\Roaming\SwAgent\ArmourySwAgent.exe

Filesize
5.1MB

MD5
5ec04966ef8901ac13aa603645b3197d

SHA1
e5263e87abb62c10a7224b598ae905858c6000de

SHA256
49e58e5dd3be1cb7249207a329c465ae65fa3099148b4e4e279afd88bc4b1fe0

SHA512
0fb6c5fa4110a2abcc02d1f405b1cd7236778223b2865991baef05eeaf2314d7b57104fbd0bc0a5c263561e144434a654937b4c620c5960f83064fcf279b3d4d

Download Submit
memory/2116-41-0x00000000004C0000-0x0000000000535000-memory.dmp

Filesize
468KB

Download
memory/2116-40-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/2116-36-0x00000000004C0000-0x0000000000535000-memory.dmp

Filesize
468KB

Download
memory/2608-18-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download
memory/2608-9-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download
memory/2608-12-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download
memory/2608-13-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2608-0-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2608-10-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/2608-2-0x000000005FF40000-0x000000005FF41000-memory.dmp

Filesize
4KB

Download
memory/2608-11-0x0000000075963000-0x0000000075965000-memory.dmp

Filesize
8KB

Download
memory/2608-1-0x000000005FF50000-0x000000005FF51000-memory.dmp

Filesize
4KB

Download
memory/2608-3-0x0000000000400000-0x000000000092A000-memory.dmp

Filesize
5.2MB

Download
memory/3656-23-0x00007FFC45ED0000-0x00007FFC460C5000-memory.dmp

Filesize
2.0MB

Download
memory/3656-38-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download
memory/3656-33-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download
memory/3656-32-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download
memory/3656-22-0x0000000075950000-0x0000000075F03000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads