amadey | ac4345332d24b048fc1b99301435e7dc5c78d5561ac9bd0c512cad1cc47080b1

General

Target

34156c23ded10df5fbb61511b968e6cd.exe
Size

12.1MB
MD5

34156c23ded10df5fbb61511b968e6cd
SHA1

17271001393b53ff7d605a8925086d68101a0f15
SHA256

ac4345332d24b048fc1b99301435e7dc5c78d5561ac9bd0c512cad1cc47080b1
SHA512

160b10205c5e0bc888ec337e700c928a3880c897775e7278ec84e9b9279e058394661f9cdbfc42947b36e84c37910b98dcc54ec5d84cebad33914b8909bccf9f
SSDEEP

393216:lvQ5wyLqi68Ko/AhbRu074MQIEZjBv2ZbC+p:lo5PLBAh40kJjUZbCS

Score

10^/10

amadey 3b4498 discovery trojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

3b4498

C2

http://gardenhub-fitlife.com

http://gardenhub-fitlife2.com

http://gardenhub-fitlife3.com

Attributes

strings_key
8ebb4a20053589d32f9b9ccd6234230f
url_paths
/g9jvjfd73/index.php

/g9jvjfd74/index.php

/8bkjdSdfjCe/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	34156c23ded10df5fbb61511b968e6cd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3876 set thread context of 636	3876	34156c23ded10df5fbb61511b968e6cd.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\MB Led SDK.job	more.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34156c23ded10df5fbb61511b968e6cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3876	34156c23ded10df5fbb61511b968e6cd.exe
3876	34156c23ded10df5fbb61511b968e6cd.exe
636	more.com
636	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3876	34156c23ded10df5fbb61511b968e6cd.exe
636	more.com

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 636	3876	34156c23ded10df5fbb61511b968e6cd.exe	83
PID 3876 wrote to memory of 636	3876	34156c23ded10df5fbb61511b968e6cd.exe	83
PID 3876 wrote to memory of 636	3876	34156c23ded10df5fbb61511b968e6cd.exe	83
PID 3876 wrote to memory of 636	3876	34156c23ded10df5fbb61511b968e6cd.exe	83
PID 636 wrote to memory of 3700	636	more.com	106
PID 636 wrote to memory of 3700	636	more.com	106
PID 636 wrote to memory of 3700	636	more.com	106
PID 636 wrote to memory of 3700	636	more.com	106
PID 636 wrote to memory of 3700	636	more.com	106

C:\Users\Admin\AppData\Local\Temp\34156c23ded10df5fbb61511b968e6cd.exe
"C:\Users\Admin\AppData\Local\Temp\34156c23ded10df5fbb61511b968e6cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e6953db6

Filesize
1.4MB

MD5
0fda52f9ceb734b4ceb0a3819e6d336f

SHA1
52edd376fc0c4fb226a7a58829305d0248b43380

SHA256
06736dcf382a751afc48510e882f921708b0ca5d13bd4ad5aef02d82eb2fc2e4

SHA512
696729d5049b5cb4dd500b5d2099a9870a9e317408010fde6774a71528ef0801bf71ee421a71eb0b11a343d69ef3dd36f9e6a4e3158e9f2c5a15899826a41dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebca780a

Filesize
1.2MB

MD5
0f7d22cbc8d10767ef32fba3a7bc381a

SHA1
02f5f2761298cd6921e35d96153c483f237d6429

SHA256
bd30330a871003e7836341bd92e181ed4544edf8e500e2f2ec0ed8ae3ab09336

SHA512
482ed68bec4c0f227e3031d1d3e73c81d0874f3667047b1eb1bb5fa423a463be1cdc95ed7838dac93740127d3de1177030b457bf8e20174980d8972038cea820

Download Submit
memory/636-17-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/636-16-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/636-27-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/636-23-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/636-13-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/636-22-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/636-15-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3700-29-0x0000000000620000-0x00000000006AC000-memory.dmp

Filesize
560KB

Download
memory/3700-28-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3876-6-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/3876-0-0x0000000000630000-0x0000000000C1B000-memory.dmp

Filesize
5.9MB

Download
memory/3876-7-0x00007FFB60E70000-0x00007FFB61065000-memory.dmp

Filesize
2.0MB

Download
memory/3876-11-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/3876-10-0x0000000073B33000-0x0000000073B35000-memory.dmp

Filesize
8KB

Download
memory/3876-9-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/3876-8-0x0000000073B33000-0x0000000073B35000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing