amadey | 471f22db8436b846bcc1b8d9691adb74d02cee7b49e4a58772f486ece4ca19db

General

Target

7c23cca92ddabc20911e0c51e19b002b.exe
Size

13.4MB
MD5

7c23cca92ddabc20911e0c51e19b002b
SHA1

f0e07a68ca36681ece42c23d75351d51a9b52a8c
SHA256

471f22db8436b846bcc1b8d9691adb74d02cee7b49e4a58772f486ece4ca19db
SHA512

981afbb497ffde188e5134c181f85870ee1da5b9eb4dfda17e33f1b469a5bf76051071c1f37507c3a9bf1c2abe5c15379f1d2bb457d0953242aaba201fe5c3e1
SSDEEP

196608:cbQLsmUzjxbODbedh49KRAg+89tvjXV9nHTDN0JgCDt0IEM:cbAUsWdlRT+wtrXzzwgCh0Ir

Score

10^/10

amadey 8a680c discovery trojan

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

8a680c

C2

http://62.60.226.15

Attributes

install_dir
f39a3c5206
install_file
Gxtuum.exe
strings_key
a1bf8674ebe6a09a1462faf683ebc122
url_paths
/8fj482jd9/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 3732	5052	7c23cca92ddabc20911e0c51e19b002b.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c23cca92ddabc20911e0c51e19b002b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5052	7c23cca92ddabc20911e0c51e19b002b.exe
5052	7c23cca92ddabc20911e0c51e19b002b.exe
3732	more.com
3732	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5052	7c23cca92ddabc20911e0c51e19b002b.exe
3732	more.com

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3732	5052	7c23cca92ddabc20911e0c51e19b002b.exe	83
PID 5052 wrote to memory of 3732	5052	7c23cca92ddabc20911e0c51e19b002b.exe	83
PID 5052 wrote to memory of 3732	5052	7c23cca92ddabc20911e0c51e19b002b.exe	83
PID 5052 wrote to memory of 3732	5052	7c23cca92ddabc20911e0c51e19b002b.exe	83
PID 3732 wrote to memory of 2848	3732	more.com	92
PID 3732 wrote to memory of 2848	3732	more.com	92
PID 3732 wrote to memory of 2848	3732	more.com	92
PID 3732 wrote to memory of 2848	3732	more.com	92
PID 3732 wrote to memory of 2848	3732	more.com	92

C:\Users\Admin\AppData\Local\Temp\7c23cca92ddabc20911e0c51e19b002b.exe
"C:\Users\Admin\AppData\Local\Temp\7c23cca92ddabc20911e0c51e19b002b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21ee8cec

Filesize
1.1MB

MD5
d2ac740e7f02d1857d23cc613d2a3015

SHA1
333427371d9ff322e761d306a42ab0d6a863e6f9

SHA256
b820ec17cfc9eec57cabaa1b6e79173a5e6ef6bc0fdf0b456ec943e02bca4d5f

SHA512
8a91b783255e60bf95f7653f2e5ecb693a009babb580e37130721d845ddfc73ece82a669e9ebf01faec7a10598c3603ece8d82f130bc567f8747a7a72bb29933

Download Submit
C:\Users\Admin\AppData\Local\Temp\24e362de

Filesize
1.1MB

MD5
27a0dd706419aa20a10929e345221eba

SHA1
dce5ca4d6cc84bef580050c44ce2be059041338b

SHA256
b3266a2d5be211a25af6e0bb2a640b8c55090b6206813da5f0cd2fbace5ffc61

SHA512
1e954752c281efc0752f8502467e5a05c08a0f40c0efc1867eff51c3377264323b8cd85db476dff28b45790cd106cfc7db65015e2c2961e15f0e82a90d94cf08

Download Submit
memory/2848-32-0x0000000000800000-0x0000000000874000-memory.dmp

Filesize
464KB

Download
memory/2848-31-0x00007FF9B62D0000-0x00007FF9B64C5000-memory.dmp

Filesize
2.0MB

Download
memory/3732-20-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/3732-30-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/3732-26-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/3732-25-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/3732-23-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/3732-22-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/3732-21-0x00007FF9B62D0000-0x00007FF9B64C5000-memory.dmp

Filesize
2.0MB

Download
memory/5052-9-0x0000000075373000-0x0000000075375000-memory.dmp

Filesize
8KB

Download
memory/5052-16-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/5052-13-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/5052-12-0x0000000075373000-0x0000000075375000-memory.dmp

Filesize
8KB

Download
memory/5052-11-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/5052-10-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/5052-0-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/5052-8-0x00007FF9B62D0000-0x00007FF9B64C5000-memory.dmp

Filesize
2.0MB

Download
memory/5052-7-0x0000000075360000-0x0000000075913000-memory.dmp

Filesize
5.7MB

Download
memory/5052-1-0x0000000000400000-0x0000000000C27000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing