amadey | 25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587

Resubmissions

02-07-2024 20:30

240702-y99q7axgja 10

02-07-2024 20:21

240702-y449hsxdja 10

15-06-2024 12:25

240615-plyjksthpp 10

Analysis

max time kernel
1772s
max time network
1788s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe
Size

9.9MB
MD5

36738debf327efec480324af18b94766
SHA1

5485d691b89a483f823a5be4b3c2b9a3a755f3fd
SHA256

25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587
SHA512

d58b10fcd8cf88cda44e9fd1bd7a7d5c029ccf920464290152c9f005382b3720b6a84ef1750a4595c4611905cc22f358daa0fb5a2e7de4ee51be1907c6c3c64e
SSDEEP

196608:JkSJiPMvxwqNSb4OFVT20XYwO63UwxtQLODByENIUMTnh:OQmkwqNSb4OFV2ZwOnwxtsqNTqnh

Score

10^/10

amadey 237e24 trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

237e24

http://77.91.77.140

Attributes

install_dir
128c262c3e
install_file
Hkbsse.exe
strings_key
290b81e8c919db72c216d14cb1d817dd
url_paths
/g9bkfkWf/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe

Executes dropped EXE 31 IoCs

Processes:

Hkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exe

pid	process
3948	Hkbsse.exe
1076	Hkbsse.exe
1592	Hkbsse.exe
2300	Hkbsse.exe
4988	Hkbsse.exe
2372	Hkbsse.exe
3076	Hkbsse.exe
1424	Hkbsse.exe
432	Hkbsse.exe
4448	Hkbsse.exe
4016	Hkbsse.exe
4740	Hkbsse.exe
1152	Hkbsse.exe
596	Hkbsse.exe
2300	Hkbsse.exe
4524	Hkbsse.exe
4608	Hkbsse.exe
4764	Hkbsse.exe
1372	Hkbsse.exe
672	Hkbsse.exe
2844	Hkbsse.exe
4672	Hkbsse.exe
3908	Hkbsse.exe
4348	Hkbsse.exe
532	Hkbsse.exe
4508	Hkbsse.exe
4164	Hkbsse.exe
3184	Hkbsse.exe
2000	Hkbsse.exe
3528	Hkbsse.exe
636	Hkbsse.exe

Drops file in Windows directory 1 IoCs

Processes:

25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job 25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exe

pid	process
3436	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe
3436	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe
3948	Hkbsse.exe
3948	Hkbsse.exe
1076	Hkbsse.exe
1076	Hkbsse.exe
1592	Hkbsse.exe
1592	Hkbsse.exe
2300	Hkbsse.exe
2300	Hkbsse.exe
4988	Hkbsse.exe
4988	Hkbsse.exe
2372	Hkbsse.exe
2372	Hkbsse.exe
3076	Hkbsse.exe
3076	Hkbsse.exe
1424	Hkbsse.exe
1424	Hkbsse.exe
432	Hkbsse.exe
432	Hkbsse.exe
4448	Hkbsse.exe
4448	Hkbsse.exe
4016	Hkbsse.exe
4016	Hkbsse.exe
4740	Hkbsse.exe
4740	Hkbsse.exe
1152	Hkbsse.exe
1152	Hkbsse.exe
596	Hkbsse.exe
596	Hkbsse.exe
2300	Hkbsse.exe
2300	Hkbsse.exe
4524	Hkbsse.exe
4524	Hkbsse.exe
4608	Hkbsse.exe
4608	Hkbsse.exe
4764	Hkbsse.exe
4764	Hkbsse.exe
1372	Hkbsse.exe
1372	Hkbsse.exe
672	Hkbsse.exe
672	Hkbsse.exe
2844	Hkbsse.exe
2844	Hkbsse.exe
4672	Hkbsse.exe
4672	Hkbsse.exe
3908	Hkbsse.exe
3908	Hkbsse.exe
4348	Hkbsse.exe
4348	Hkbsse.exe
532	Hkbsse.exe
532	Hkbsse.exe
4508	Hkbsse.exe
4508	Hkbsse.exe
4164	Hkbsse.exe
4164	Hkbsse.exe
3184	Hkbsse.exe
3184	Hkbsse.exe
2000	Hkbsse.exe
2000	Hkbsse.exe
3528	Hkbsse.exe
3528	Hkbsse.exe
636	Hkbsse.exe
636	Hkbsse.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe

description	pid	process	target process
PID 3436 wrote to memory of 3948	3436	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe	Hkbsse.exe
PID 3436 wrote to memory of 3948	3436	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe	Hkbsse.exe
PID 3436 wrote to memory of 3948	3436	25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe	Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe
"C:\Users\Admin\AppData\Local\Temp\25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\124900551406
Filesize
74KB

MD5
067076a3345c9a06e50ca1e4a018e5dc

SHA1
14398f35d3123df314e2b5374198c307e4f86107

SHA256
e979b8235ef8d4b3b8b61a9b8e31be9272583f54f8dbdf5e9bc8e1236129bc3b

SHA512
7dea86540fba66493b228bc8804ed70411e5d9c35d4fa4be3059f90538bf41b0c31a5eee75c6a99c8d57393b7e12ce435b0f86c581184493113bf6bde8561e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
Filesize
9.9MB

MD5
36738debf327efec480324af18b94766

SHA1
5485d691b89a483f823a5be4b3c2b9a3a755f3fd

SHA256
25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587

SHA512
d58b10fcd8cf88cda44e9fd1bd7a7d5c029ccf920464290152c9f005382b3720b6a84ef1750a4595c4611905cc22f358daa0fb5a2e7de4ee51be1907c6c3c64e

Download Submit
memory/432-91-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/432-89-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/596-124-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/596-123-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1076-31-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/1076-32-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/1152-120-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/1424-77-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/1592-43-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/1592-41-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/2300-138-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/2300-46-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/2300-47-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/2372-67-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/3076-71-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/3436-18-0x000000000068B000-0x0000000000C00000-memory.dmp

Filesize
5.5MB

Download
memory/3436-3-0x000000000068B000-0x0000000000C00000-memory.dmp

Filesize
5.5MB

Download
memory/3436-1-0x0000000000620000-0x00000000015E6000-memory.dmp

Filesize
15.8MB

Download
memory/3436-0-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download
memory/3436-5-0x0000000000620000-0x00000000015E6000-memory.dmp

Filesize
15.8MB

Download
memory/3436-17-0x0000000000620000-0x00000000015E6000-memory.dmp

Filesize
15.8MB

Download
memory/3948-19-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3948-29-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/3948-20-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/3948-23-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/3948-24-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/4016-100-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/4448-94-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/4448-96-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/4740-113-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/4740-115-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/4988-52-0x0000000000550000-0x0000000001516000-memory.dmp

Filesize
15.8MB

Download
memory/4988-51-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download