Overview

overview

10

Static

static

3

34156c23de...cd.exe

windows7-x64

10

34156c23de...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34156c23ded10df5fbb61511b968e6cd.exe

  • Size

    12.1MB

  • MD5

    34156c23ded10df5fbb61511b968e6cd

  • SHA1

    17271001393b53ff7d605a8925086d68101a0f15

  • SHA256

    ac4345332d24b048fc1b99301435e7dc5c78d5561ac9bd0c512cad1cc47080b1

  • SHA512

    160b10205c5e0bc888ec337e700c928a3880c897775e7278ec84e9b9279e058394661f9cdbfc42947b36e84c37910b98dcc54ec5d84cebad33914b8909bccf9f

  • SSDEEP

    393216:lvQ5wyLqi68Ko/AhbRu074MQIEZjBv2ZbC+p:lo5PLBAh40kJjUZbCS

Score
10/10
amadey3b4498discoverytrojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

3b4498

C2

http://gardenhub-fitlife.com

http://gardenhub-fitlife2.com

http://gardenhub-fitlife3.com
Attributes
  • strings_key

    8ebb4a20053589d32f9b9ccd6234230f

  • url_paths

    /g9jvjfd73/index.php

    /g9jvjfd74/index.php

    /8bkjdSdfjCe/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34156c23ded10df5fbb61511b968e6cd.exe
    "C:\Users\Admin\AppData\Local\Temp\34156c23ded10df5fbb61511b968e6cd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bddc0125
    Filesize

    1.4MB

    MD5

    0fda52f9ceb734b4ceb0a3819e6d336f

    SHA1

    52edd376fc0c4fb226a7a58829305d0248b43380

    SHA256

    06736dcf382a751afc48510e882f921708b0ca5d13bd4ad5aef02d82eb2fc2e4

    SHA512

    696729d5049b5cb4dd500b5d2099a9870a9e317408010fde6774a71528ef0801bf71ee421a71eb0b11a343d69ef3dd36f9e6a4e3158e9f2c5a15899826a41dc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c1b004ef
    Filesize

    1.2MB

    MD5

    57697a79a19e26bd054544a15ccea89d

    SHA1

    f902c7433f2c7c17f989c0c87e46551dc6c032e7

    SHA256

    06fa5f1e5c3646b2b8106c0c3cb777c4986a4685e552afffa283f35bc4c42ca8

    SHA512

    ed5a2b87d417f0479de4a45687f9e941e7f0e69d7ed08c2438079c614f57ed4b783666025c72a79e38407ca0392c9441f43d0be02878df6ff44af60e225537fd

    Download Submit

  • memory/540-6-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/540-7-0x0000000077130000-0x00000000772D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/540-9-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/540-8-0x0000000073E33000-0x0000000073E35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/540-0-0x0000000000400000-0x00000000009EB000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/540-12-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-16-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-15-0x0000000077130000-0x00000000772D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2284-13-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-18-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-17-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-23-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-25-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2284-24-0x0000000073E20000-0x0000000073F94000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2628-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-29-0x0000000077130000-0x00000000772D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2628-30-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

    Download