amadey | 6bdbc9a9e03c2e202acbf0a88eb378262b128c9d9a2d43f864f3f0b9479e8ca7

General

Target

1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
Size

231KB
MD5

d2d53693ba630167f3d1689defd2277a
SHA1

e652a4df2934ef3187d7e62450b732ba9d35fdf6
SHA256

1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc
SHA512

bb015c508c2462fd2c563893961fa598ffe7b1c67bc587d013b1681fd5d77e8253995e08f9cdf34c0a21ea1e238f5c5091c20ac979c5c95e704728b16913d413
SSDEEP

6144:AWgLu75uLPm/xUzXpxpbcpLFWS/nU8VIfsLknImS9:AWgiFgPm/xUNx4LNs8afk3X

Score

10^/10

amadey 0237fa discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.50

Botnet

0237fa

C2

http://193.56.146.194

Attributes

install_dir
50c1695437
install_file
rovwer.exe
strings_key
b6d412dd2efdf33d84e939e52040748f
url_paths
/h49vlBP/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rovwer.exe

Executes dropped EXE 4 IoCs

pid	Process
4700	rovwer.exe
2840	rovwer.exe
2200	rovwer.exe
2468	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2076	3304	WerFault.exe	82
4812	2840	WerFault.exe	103
4280	2200	WerFault.exe	109
3012	2468	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rovwer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4492	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 4700	3304	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	83
PID 3304 wrote to memory of 4700	3304	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	83
PID 3304 wrote to memory of 4700	3304	1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe	83
PID 4700 wrote to memory of 4492	4700	rovwer.exe	87
PID 4700 wrote to memory of 4492	4700	rovwer.exe	87
PID 4700 wrote to memory of 4492	4700	rovwer.exe	87

C:\Users\Admin\AppData\Local\Temp\1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe
"C:\Users\Admin\AppData\Local\Temp\1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1144
  2⤵
  - Program crash
  PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3304 -ip 3304
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 416
  2⤵
  - Program crash
  PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2840 -ip 2840
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 424
  2⤵
  - Program crash
  PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2200 -ip 2200
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 216
  2⤵
  - Program crash
  PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2468 -ip 2468
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\045521122590

Filesize
84KB

MD5
8d94f9616b429353dd0c3c62350d6861

SHA1
6a5a23b8485961fae177b83a265aa029a670994e

SHA256
96cdd34fa4cceeefe793e8f032334d0c025b964478c0bc3b1e421cbf732604a5

SHA512
4367fef623cf75f3765d7b052cfbda583a67175fbf50eac4f588201636e15b33366b6ddd3855bc5016249909a4cd1999b6ac92f53c2a841c2452c7f8eda98b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
231KB

MD5
d2d53693ba630167f3d1689defd2277a

SHA1
e652a4df2934ef3187d7e62450b732ba9d35fdf6

SHA256
1858dd5e996c40a7e75c2c118262917bc9dc7e779e55de52579cd06b40559ddc

SHA512
bb015c508c2462fd2c563893961fa598ffe7b1c67bc587d013b1681fd5d77e8253995e08f9cdf34c0a21ea1e238f5c5091c20ac979c5c95e704728b16913d413

Download Submit
memory/2200-44-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2468-53-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2840-35-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2840-33-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2840-34-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/2840-32-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/3304-20-0x0000000000800000-0x000000000083E000-memory.dmp

Filesize
248KB

Download
memory/3304-19-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/3304-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3304-1-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/3304-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3304-2-0x0000000000800000-0x000000000083E000-memory.dmp

Filesize
248KB

Download
memory/4700-22-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4700-14-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4700-36-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4700-39-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4700-41-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download
memory/4700-49-0x0000000000400000-0x000000000059F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads