amadey | d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe
Size

370KB
MD5

1f68fe6fc999460d808a243a15232611
SHA1

2c5b12ad940e1772b001d85b77c5b86f84b9eb03
SHA256

d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719
SHA512

e5faf7c55297860b5304699e304b5ebe8527f73bf2b7f71d30111712df6eec50e9f38b2930f87c14c762b2143d74ff7ce71953ce261c93a6857193389f8c278f
SSDEEP

6144:4iHP5o9P45e/kejyjel3IUIBaouNfiAtC+Qgm7f1vOFqx:4aP5yZDjQgIUIBaoQfieQg61mFqx

Score

10^/10

amadey 667bac trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

667bac

http://94.156.68.141

Attributes

install_dir
716b9e4c6b
install_file
Dctooux.exe
strings_key
8e31b2add27c52b4aedc47b90f997046
url_paths
/h9fmdW5/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe

Executes dropped EXE 4 IoCs

pid	Process
4008	Dctooux.exe
3716	Dctooux.exe
3940	Dctooux.exe
3992	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
4732	4160	WerFault.exe	81
232	4160	WerFault.exe	81
1428	4160	WerFault.exe	81
4132	4160	WerFault.exe	81
4516	4160	WerFault.exe	81
3016	4160	WerFault.exe	81
1400	4160	WerFault.exe	81
2920	4160	WerFault.exe	81
4672	4160	WerFault.exe	81
4304	4160	WerFault.exe	81
4408	4160	WerFault.exe	81
2692	4008	WerFault.exe	113
3200	4008	WerFault.exe	113
396	4008	WerFault.exe	113
4312	4008	WerFault.exe	113
4876	4008	WerFault.exe	113
2620	4008	WerFault.exe	113
1712	4008	WerFault.exe	113
3476	4008	WerFault.exe	113
4172	4008	WerFault.exe	113
436	4008	WerFault.exe	113
212	4008	WerFault.exe	113
3700	3716	WerFault.exe	143
2624	3940	WerFault.exe	149
624	4008	WerFault.exe	113

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4160	d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 4008	4160	d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe	113
PID 4160 wrote to memory of 4008	4160	d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe	113
PID 4160 wrote to memory of 4008	4160	d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe	113

C:\Users\Admin\AppData\Local\Temp\d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe
"C:\Users\Admin\AppData\Local\Temp\d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 756
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 800
  2⤵
  - Program crash
  PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 856
  2⤵
  - Program crash
  PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 932
  2⤵
  - Program crash
  PID:4132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 968
  2⤵
  - Program crash
  PID:4516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 928
  2⤵
  - Program crash
  PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1108
  2⤵
  - Program crash
  PID:1400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1108
  2⤵
  - Program crash
  PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1120
  2⤵
  - Program crash
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 548
    3⤵
    - Program crash
    PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 568
    3⤵
    - Program crash
    PID:3200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 620
    3⤵
    - Program crash
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 840
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 888
    3⤵
    - Program crash
    PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 908
    3⤵
    - Program crash
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 908
    3⤵
    - Program crash
    PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 952
    3⤵
    - Program crash
    PID:3476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 944
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1132
    3⤵
    - Program crash
    PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1324
    3⤵
    - Program crash
    PID:212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 892
    3⤵
    - Program crash
    PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 904
  2⤵
  - Program crash
  PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1332
  2⤵
  - Program crash
  PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4160 -ip 4160
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4160 -ip 4160
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4160 -ip 4160
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4160 -ip 4160
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4160 -ip 4160
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4160 -ip 4160
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4160 -ip 4160
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4160 -ip 4160
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4160 -ip 4160
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4160 -ip 4160
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4160 -ip 4160
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4008 -ip 4008
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4008 -ip 4008
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4008 -ip 4008
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4008 -ip 4008
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4008 -ip 4008
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4008 -ip 4008
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4008 -ip 4008
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4008 -ip 4008
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4008 -ip 4008
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4008 -ip 4008
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4008 -ip 4008
1⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 448
  2⤵
  - Program crash
  PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3716 -ip 3716
1⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 440
  2⤵
  - Program crash
  PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3940 -ip 3940
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4008 -ip 4008
1⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\716b9e4c6b\Dctooux.exe

Filesize
370KB

MD5
1f68fe6fc999460d808a243a15232611

SHA1
2c5b12ad940e1772b001d85b77c5b86f84b9eb03

SHA256
d10fd57ed5550212a4bfbb65732c489479c49c888737d3dc818290189fc2e719

SHA512
e5faf7c55297860b5304699e304b5ebe8527f73bf2b7f71d30111712df6eec50e9f38b2930f87c14c762b2143d74ff7ce71953ce261c93a6857193389f8c278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\804150937214

Filesize
78KB

MD5
3bc4112b87a601950f9df448d8b6e20c

SHA1
5e2902d6a47bc99bca9fb5579df84c3ec807394d

SHA256
5a95b8cfbd2027d688454b49b27e18997037813687a504a9980292529626abfc

SHA512
d4eb9e7f174377b19d9d4fae2539305f3119a6f548db6dd44b511a3bafc7e9078084fe5dd79a5bc9a54cc1028261516a432ad73add1b6946fb4b47b2312b6f0f

Download Submit
memory/3716-28-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/3716-29-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/3716-30-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/3940-44-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/4008-19-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/4008-24-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/4008-36-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/4160-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4160-15-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/4160-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4160-16-0x0000000000920000-0x000000000098B000-memory.dmp

Filesize
428KB

Download
memory/4160-1-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/4160-2-0x0000000000920000-0x000000000098B000-memory.dmp

Filesize
428KB

Download