amadey | 4ae196c51c70c762f9cbf250af00414f93e8ccea2337a7595d5307a474858812

General

Target

22ef0ec1302427d5b197b30e545d0400.exe
Size

16.4MB
MD5

22ef0ec1302427d5b197b30e545d0400
SHA1

bc6b6278e436c56311bacc5e4476e5d4bab00692
SHA256

4ae196c51c70c762f9cbf250af00414f93e8ccea2337a7595d5307a474858812
SHA512

27e97250d50f8b31fcb5552826655bed92cc3a5f8334710fbb905b5a3f21dfc8e6c7e3202fa3982a21544247711fbc1f361224bb42fad28c91cf362df502c6d0
SSDEEP

393216:vMFPfYHcbXui8nRMeW3PBNEbdAgKvd5txx:vLLn5AgKvxX

Score

10^/10

amadey 0b0f72 discovery trojan

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

0b0f72

Attributes

install_dir
6442e74d50
install_file
Gxtuum.exe
strings_key
d4bd0bf3214b416527b6ec31c7facca5
url_paths
/pLQvfD4d5/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 704	2880	22ef0ec1302427d5b197b30e545d0400.exe	83

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\FmHttp.job	more.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ef0ec1302427d5b197b30e545d0400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2880	22ef0ec1302427d5b197b30e545d0400.exe
2880	22ef0ec1302427d5b197b30e545d0400.exe
704	more.com
704	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2880	22ef0ec1302427d5b197b30e545d0400.exe
704	more.com

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2880	22ef0ec1302427d5b197b30e545d0400.exe
2880	22ef0ec1302427d5b197b30e545d0400.exe
2880	22ef0ec1302427d5b197b30e545d0400.exe
2880	22ef0ec1302427d5b197b30e545d0400.exe
2880	22ef0ec1302427d5b197b30e545d0400.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 704	2880	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 2880 wrote to memory of 704	2880	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 2880 wrote to memory of 704	2880	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 2880 wrote to memory of 704	2880	22ef0ec1302427d5b197b30e545d0400.exe	83
PID 704 wrote to memory of 3608	704	more.com	106
PID 704 wrote to memory of 3608	704	more.com	106
PID 704 wrote to memory of 3608	704	more.com	106
PID 704 wrote to memory of 3608	704	more.com	106
PID 704 wrote to memory of 3608	704	more.com	106

C:\Users\Admin\AppData\Local\Temp\22ef0ec1302427d5b197b30e545d0400.exe
"C:\Users\Admin\AppData\Local\Temp\22ef0ec1302427d5b197b30e545d0400.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d5c7bfe9

Filesize
1.4MB

MD5
4e240d276ef1a54d1b667d1f9eb88e21

SHA1
1e5b274fc533f472800c9277cba0790d93cda629

SHA256
fa8f7069956f8077648e58f45c29acb1bd6ab3dc8717329a58fd27d61e4c8972

SHA512
e91666bbd38c38b56269d95029aad986aee88172f65f7a41c24a6d11dc1ffc776cce84a51efbd52b61428f6bf1183e9ee9a09671c8cc499eb15cac2ec3ce0932

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc2d8d74

Filesize
1.2MB

MD5
c5ea77e0f3be9746cd7c2517b546ccdc

SHA1
cb60cc05f819bffb01d212605fd01a662ef4af97

SHA256
2a55f8ee5635a4a932fb165c6852d803c84aa72a9a515855bca815cb0ddeedba

SHA512
e78fe2ff95791e78a5b335f5434c187f68bb783130a0f13408963c4cdc65a584aa927a48e3b99fef24195b27db6748c42a4e2e640a70a17c47413fdff76a4f21

Download Submit
memory/704-34-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/704-27-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download
memory/704-41-0x00000000033D0000-0x0000000003983000-memory.dmp

Filesize
5.7MB

Download
memory/704-40-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/704-36-0x00000000033D0000-0x0000000003983000-memory.dmp

Filesize
5.7MB

Download
memory/704-35-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/704-29-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/704-28-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/704-24-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/2880-1-0x0000000000400000-0x00000000012D7000-memory.dmp

Filesize
14.8MB

Download
memory/2880-7-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/2880-22-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/2880-13-0x0000000077673000-0x0000000077675000-memory.dmp

Filesize
8KB

Download
memory/2880-0-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2880-11-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2880-10-0x0000000077660000-0x0000000077C13000-memory.dmp

Filesize
5.7MB

Download
memory/2880-9-0x0000000077673000-0x0000000077675000-memory.dmp

Filesize
8KB

Download
memory/2880-8-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download
memory/3608-42-0x00007FFF4EED0000-0x00007FFF4F0C5000-memory.dmp

Filesize
2.0MB

Download
memory/3608-43-0x0000000000310000-0x000000000039B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing