amadey | c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b

Analysis

max time kernel
291s
max time network
264s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
15-03-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe
Size

388KB
MD5

0de19cd17462ea79db1a5e5fd1d7f59f
SHA1

d2b313dcfbda9a04475fc01182336b52846bbe3b
SHA256

c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b
SHA512

0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c
SSDEEP

6144:xw5S4d8nVyt7UcbfbXoAZvKAHiq7bSVXVU/OooMQEqChuiTAOxiMd:+5B/Uczb4AZvKAHuO/YEJus

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3340	3264	WerFault.exe	71
4996	3264	WerFault.exe	71
5040	3264	WerFault.exe	71
2560	3264	WerFault.exe	71
5104	3264	WerFault.exe	71
4088	3264	WerFault.exe	71
5008	3264	WerFault.exe	71
3772	3264	WerFault.exe	71
4652	3264	WerFault.exe	71

C:\Users\Admin\AppData\Local\Temp\c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe
"C:\Users\Admin\AppData\Local\Temp\c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b.exe"
1⤵
- Drops file in Windows directory
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 696
  2⤵
  - Program crash
  PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 740
  2⤵
  - Program crash
  PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 812
  2⤵
  - Program crash
  PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 820
  2⤵
  - Program crash
  PID:2560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 848
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 856
  2⤵
  - Program crash
  PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1068
  2⤵
  - Program crash
  PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1100
  2⤵
  - Program crash
  PID:3772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1080
  2⤵
  - Program crash
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3264-1-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/3264-2-0x0000000002100000-0x000000000216F000-memory.dmp

Filesize
444KB

Download
memory/3264-3-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3264-5-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3264-7-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/3264-8-0x0000000002100000-0x000000000216F000-memory.dmp

Filesize
444KB

Download