amadey | 6bdbc9a9e03c2e202acbf0a88eb378262b128c9d9a2d43f864f3f0b9479e8ca7

General

Target

1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
Size

231KB
MD5

d2d53693ba630167f3d1689defd2277a
SHA1

e652a4df2934ef3187d7e62450b732ba9d35fdf6
SHA256

1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc
SHA512

bb015c508c2462fd2c563893961fa598ffe7b1c67bc587d013b1681fd5d77e8253995e08f9cdf34c0a21ea1e238f5c5091c20ac979c5c95e704728b16913d413
SSDEEP

6144:AWgLu75uLPm/xUzXpxpbcpLFWS/nU8VIfsLknImS9:AWgiFgPm/xUNx4LNs8afk3X

Score

10^/10

amadey 0237fa discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.50

Botnet

0237fa

C2

http://193.56.146.194

Attributes

install_dir
50c1695437
install_file
rovwer.exe
strings_key
b6d412dd2efdf33d84e939e52040748f
url_paths
/h49vlBP/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Executes dropped EXE 4 IoCs

pid	Process
532	rovwer.exe
2788	rovwer.exe
1468	rovwer.exe
2404	rovwer.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
1724	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rovwer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 532	1724	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	30
PID 1724 wrote to memory of 532	1724	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	30
PID 1724 wrote to memory of 532	1724	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	30
PID 1724 wrote to memory of 532	1724	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	30
PID 532 wrote to memory of 2500	532	rovwer.exe	31
PID 532 wrote to memory of 2500	532	rovwer.exe	31
PID 532 wrote to memory of 2500	532	rovwer.exe	31
PID 532 wrote to memory of 2500	532	rovwer.exe	31
PID 2628 wrote to memory of 2788	2628	taskeng.exe	36
PID 2628 wrote to memory of 2788	2628	taskeng.exe	36
PID 2628 wrote to memory of 2788	2628	taskeng.exe	36
PID 2628 wrote to memory of 2788	2628	taskeng.exe	36
PID 2628 wrote to memory of 1468	2628	taskeng.exe	37
PID 2628 wrote to memory of 1468	2628	taskeng.exe	37
PID 2628 wrote to memory of 1468	2628	taskeng.exe	37
PID 2628 wrote to memory of 1468	2628	taskeng.exe	37
PID 2628 wrote to memory of 2404	2628	taskeng.exe	39
PID 2628 wrote to memory of 2404	2628	taskeng.exe	39
PID 2628 wrote to memory of 2404	2628	taskeng.exe	39
PID 2628 wrote to memory of 2404	2628	taskeng.exe	39

C:\Users\Admin\AppData\Local\Temp\1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
"C:\Users\Admin\AppData\Local\Temp\1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2500

C:\Windows\system32\taskeng.exe
taskeng.exe {37908677-60DB-48EF-BCE6-B995C67B1B39} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\177215427744

Filesize
70KB

MD5
a53a363bb2272e924cfe1ac0f4b41d28

SHA1
73c9c67c5b85380ccb44c677768da4a37d2f577e

SHA256
01af0a2c85caf76f62794435ba5f1120b285c699c5ab844b127d637a1fe0a53c

SHA512
cd47af719b6714c618c0677aa3e1fb5db2aa78ba9d468ecf44abb65ca4fec3eb78fcc15d301e76a48eb8ed85f7a842a02c390502f35fbf9bb974262d8d3fb07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
231KB

MD5
d2d53693ba630167f3d1689defd2277a

SHA1
e652a4df2934ef3187d7e62450b732ba9d35fdf6

SHA256
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc

SHA512
bb015c508c2462fd2c563893961fa598ffe7b1c67bc587d013b1681fd5d77e8253995e08f9cdf34c0a21ea1e238f5c5091c20ac979c5c95e704728b16913d413

Download Submit
memory/532-39-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/532-26-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/532-47-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/532-40-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/532-20-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/532-19-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/532-18-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/1468-45-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/1724-5-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/1724-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-1-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/1724-15-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/1724-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-54-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2788-31-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads