amadey | 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

General

Target

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
Size

420KB
MD5

7b432411c12d3d0d31ecaf9011450e42
SHA1

968943d42ba1e8938989b6ed1884195c2285396f
SHA256

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
SHA512

6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
SSDEEP

6144:lfBwgfV+aXoGJR1xpppStlxu4qGilNZZDLxFLWj4+36o9:l3V+anFxZUq1NZJ9N8qu

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 5 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

5116 Dctooux.exe
5056 Dctooux.exe
2376 Dctooux.exe
2796 Dctooux.exe
4984 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5116	Dctooux.exe
5056	Dctooux.exe
2376	Dctooux.exe
2796	Dctooux.exe
4984	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1120	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
3132	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
3992	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
3752	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
4556	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
2872	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
4984	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
5100	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
4228	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
1416	4636	WerFault.exe	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

pid process

4636 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

pid	process
4636	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
"C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 688
2⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 740
2⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 820
2⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 828
2⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 848
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 852
2⤵
- Program crash
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1064
2⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1108
2⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1168
2⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1232
2⤵
- Program crash
PID:1416

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
Filesize
420KB

MD5
7b432411c12d3d0d31ecaf9011450e42

SHA1
968943d42ba1e8938989b6ed1884195c2285396f

SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b

Download Submit
memory/2376-40-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

Filesize
1024KB

Download
memory/2376-42-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2376-41-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2796-53-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2796-52-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2796-51-0x0000000000C70000-0x0000000000D70000-memory.dmp

Filesize
1024KB

Download
memory/4636-11-0x0000000000D00000-0x0000000000E00000-memory.dmp

Filesize
1024KB

Download
memory/4636-3-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4636-2-0x0000000000C60000-0x0000000000CCF000-memory.dmp

Filesize
444KB

Download
memory/4636-8-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/4636-9-0x0000000000C60000-0x0000000000CCF000-memory.dmp

Filesize
444KB

Download
memory/4636-1-0x0000000000D00000-0x0000000000E00000-memory.dmp

Filesize
1024KB

Download
memory/4984-62-0x0000000000B40000-0x0000000000C40000-memory.dmp

Filesize
1024KB

Download
memory/4984-63-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/5056-31-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/5056-30-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/5056-29-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

Filesize
1024KB

Download
memory/5116-18-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

Filesize
1024KB

Download
memory/5116-19-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/5116-20-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing