amadey | 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

General

Target

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
Size

420KB
MD5

7b432411c12d3d0d31ecaf9011450e42
SHA1

968943d42ba1e8938989b6ed1884195c2285396f
SHA256

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
SHA512

6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
SSDEEP

6144:lfBwgfV+aXoGJR1xpppStlxu4qGilNZZDLxFLWj4+36o9:l3V+anFxZUq1NZJ9N8qu

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 5 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

4944 Dctooux.exe
4728 Dctooux.exe
1356 Dctooux.exe
4504 Dctooux.exe
5100 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4944	Dctooux.exe
4728	Dctooux.exe
1356	Dctooux.exe
4504	Dctooux.exe
5100	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4496	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
4620	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
4124	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
2808	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
3784	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
5100	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
3240	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
568	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
2208	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
4900	3132	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

pid process

3132 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

pid	process
3132	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
"C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 692
2⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 740
2⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 812
2⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 820
2⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 848
2⤵
- Program crash
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 860
2⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1064
2⤵
- Program crash
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1092
2⤵
- Program crash
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1168
2⤵
- Program crash
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1224
2⤵
- Program crash
PID:4900

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
Filesize
420KB

MD5
7b432411c12d3d0d31ecaf9011450e42

SHA1
968943d42ba1e8938989b6ed1884195c2285396f

SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b

Download Submit
memory/1356-41-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/1356-40-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/1356-39-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

Filesize
1024KB

Download
memory/3132-11-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/3132-8-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/3132-9-0x0000000000C60000-0x0000000000CCF000-memory.dmp

Filesize
444KB

Download
memory/3132-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/3132-2-0x0000000000C60000-0x0000000000CCF000-memory.dmp

Filesize
444KB

Download
memory/3132-3-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4504-51-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4504-50-0x0000000000E50000-0x0000000000F50000-memory.dmp

Filesize
1024KB

Download
memory/4504-52-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4728-29-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4728-30-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4728-28-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

Filesize
1024KB

Download
memory/4944-19-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4944-18-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4944-17-0x0000000000D50000-0x0000000000E50000-memory.dmp

Filesize
1024KB

Download
memory/5100-61-0x0000000000BE0000-0x0000000000CE0000-memory.dmp

Filesize
1024KB

Download
memory/5100-62-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/5100-63-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing