amadey | 4ae196c51c70c762f9cbf250af00414f93e8ccea2337a7595d5307a474858812

General

Target

22ef0ec1302427d5b197b30e545d0400.exe
Size

16.4MB
MD5

22ef0ec1302427d5b197b30e545d0400
SHA1

bc6b6278e436c56311bacc5e4476e5d4bab00692
SHA256

4ae196c51c70c762f9cbf250af00414f93e8ccea2337a7595d5307a474858812
SHA512

27e97250d50f8b31fcb5552826655bed92cc3a5f8334710fbb905b5a3f21dfc8e6c7e3202fa3982a21544247711fbc1f361224bb42fad28c91cf362df502c6d0
SSDEEP

393216:vMFPfYHcbXui8nRMeW3PBNEbdAgKvd5txx:vLLn5AgKvxX

Score

10^/10

amadey 0b0f72 discovery trojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

0b0f72

Attributes

install_dir
6442e74d50
install_file
Gxtuum.exe
strings_key
d4bd0bf3214b416527b6ec31c7facca5
url_paths
/pLQvfD4d5/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 3560	1124	22ef0ec1302427d5b197b30e545d0400.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\FmHttp.job	more.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ef0ec1302427d5b197b30e545d0400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1124	22ef0ec1302427d5b197b30e545d0400.exe
1124	22ef0ec1302427d5b197b30e545d0400.exe
3560	more.com
3560	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1124	22ef0ec1302427d5b197b30e545d0400.exe
3560	more.com

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1124	22ef0ec1302427d5b197b30e545d0400.exe
1124	22ef0ec1302427d5b197b30e545d0400.exe
1124	22ef0ec1302427d5b197b30e545d0400.exe
1124	22ef0ec1302427d5b197b30e545d0400.exe
1124	22ef0ec1302427d5b197b30e545d0400.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 3560	1124	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 1124 wrote to memory of 3560	1124	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 1124 wrote to memory of 3560	1124	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 1124 wrote to memory of 3560	1124	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 3560 wrote to memory of 3444	3560	more.com	105
PID 3560 wrote to memory of 3444	3560	more.com	105
PID 3560 wrote to memory of 3444	3560	more.com	105
PID 3560 wrote to memory of 3444	3560	more.com	105
PID 3560 wrote to memory of 3444	3560	more.com	105

C:\Users\Admin\AppData\Local\Temp\22ef0ec1302427d5b197b30e545d0400.exe
"C:\Users\Admin\AppData\Local\Temp\22ef0ec1302427d5b197b30e545d0400.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12245298

Filesize
1.4MB

MD5
4e240d276ef1a54d1b667d1f9eb88e21

SHA1
1e5b274fc533f472800c9277cba0790d93cda629

SHA256
fa8f7069956f8077648e58f45c29acb1bd6ab3dc8717329a58fd27d61e4c8972

SHA512
e91666bbd38c38b56269d95029aad986aee88172f65f7a41c24a6d11dc1ffc776cce84a51efbd52b61428f6bf1183e9ee9a09671c8cc499eb15cac2ec3ce0932

Download Submit
C:\Users\Admin\AppData\Local\Temp\19137ba6

Filesize
1.2MB

MD5
19c224b487f2acdccfed536483588875

SHA1
8f3b5dbd2a9037c5fcff9ec7fc72aed336bb16b5

SHA256
29d035529a67f4e7db41f1e5ca90df487e5fa017c4af23cee870ca54b2abf08d

SHA512
77fab952a1fcce206e586fb91178affae8deb05f43533ae14c1c829a481c28e8bbf874b9f9c72484aa76fc6ae1defed8b361c4662f2b02f1fcb644ed1ec5876d

Download Submit
memory/1124-10-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/1124-7-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/1124-8-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

Filesize
2.0MB

Download
memory/1124-9-0x0000000076283000-0x0000000076285000-memory.dmp

Filesize
8KB

Download
memory/1124-11-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/1124-13-0x0000000076283000-0x0000000076285000-memory.dmp

Filesize
8KB

Download
memory/1124-25-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/1124-0-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/1124-1-0x0000000000400000-0x00000000012D7000-memory.dmp

Filesize
14.8MB

Download
memory/3444-43-0x0000000001150000-0x00000000011DB000-memory.dmp

Filesize
556KB

Download
memory/3444-47-0x0000000001150000-0x00000000011DB000-memory.dmp

Filesize
556KB

Download
memory/3444-46-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

Filesize
2.0MB

Download
memory/3560-27-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/3560-36-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/3560-37-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/3560-38-0x0000000002FD0000-0x0000000003583000-memory.dmp

Filesize
5.7MB

Download
memory/3560-42-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/3560-31-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/3560-45-0x0000000002FD0000-0x0000000003583000-memory.dmp

Filesize
5.7MB

Download
memory/3560-30-0x0000000076270000-0x0000000076823000-memory.dmp

Filesize
5.7MB

Download
memory/3560-28-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing