amadey | e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd

Analysis

max time kernel
146s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
26-05-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
Size

4.5MB
MD5

2505c6f2331cfc6d1a74b7009ecb41ea
SHA1

67fe99c67d3aeb351d2cef54ba352a328db65433
SHA256

e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd
SHA512

7b1ffcdb8a6300c62bffd62b4bad3aabc24bbb67e40b95ad197fb662b72a363af1c67d6422def2f837ac6297918ebc222c907c73dcc67c7b130c0a47379fd611
SSDEEP

98304:cfUb8pAxsOBSexdGzByOahalkaX7EgPHx8lPw2GiqVGf2s7x9tMOmf:cfU+OsvwoYOau3gosPbk4f/bo

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exepythonw.exepythonw.exe

pid process

1456 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
3216 pythonw.exe
2848 pythonw.exe
Loads dropped DLL 5 IoCs

Processes:

e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exepythonw.exepythonw.exe

pid process

1456 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
3216 pythonw.exe
3216 pythonw.exe
2848 pythonw.exe
2848 pythonw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pythonw.exe

description pid process target process

PID 2848 set thread context of 2132 2848 pythonw.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

pythonw.exepythonw.execmd.exe

pid process

3216 pythonw.exe
2848 pythonw.exe
2848 pythonw.exe
2132 cmd.exe
2132 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pythonw.execmd.exe

pid process

2848 pythonw.exe
2132 cmd.exe

pid	process
1456	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
3216	pythonw.exe
2848	pythonw.exe

pid	process
1456	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
3216	pythonw.exe
3216	pythonw.exe
2848	pythonw.exe
2848	pythonw.exe

description	pid	process	target process
PID 2848 set thread context of 2132	2848	pythonw.exe	cmd.exe

pid	process
3216	pythonw.exe
2848	pythonw.exe
2848	pythonw.exe
2132	cmd.exe
2132	cmd.exe

pid	process
2848	pythonw.exe
2132	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exee9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exepythonw.exepythonw.execmd.exe

description	pid	process	target process
PID 3000 wrote to memory of 1456	3000	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
PID 3000 wrote to memory of 1456	3000	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
PID 3000 wrote to memory of 1456	3000	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
PID 1456 wrote to memory of 3216	1456	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe	pythonw.exe
PID 1456 wrote to memory of 3216	1456	e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe	pythonw.exe
PID 3216 wrote to memory of 2848	3216	pythonw.exe	pythonw.exe
PID 3216 wrote to memory of 2848	3216	pythonw.exe	pythonw.exe
PID 2848 wrote to memory of 2132	2848	pythonw.exe	cmd.exe
PID 2848 wrote to memory of 2132	2848	pythonw.exe	cmd.exe
PID 2848 wrote to memory of 2132	2848	pythonw.exe	cmd.exe
PID 2848 wrote to memory of 2132	2848	pythonw.exe	cmd.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	explorer.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	explorer.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	explorer.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	explorer.exe
PID 2132 wrote to memory of 4192	2132	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
"C:\Users\Admin\AppData\Local\Temp\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\Temp\{D11CAEA8-4BC5-4B10-84FB-FDECEA0EEB7E}\.cr\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
"C:\Windows\Temp\{D11CAEA8-4BC5-4B10-84FB-FDECEA0EEB7E}\.cr\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe" -burn.filehandle.attached=568 -burn.filehandle.self=572
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\pythonw.exe
"C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\pythonw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe
C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d5a78d3
Filesize
1.1MB

MD5
5ba0f86a6f55a9529751de9276711184

SHA1
c2da6c816a35d327ae239d1fb06c41b63a6fb07a

SHA256
7f2ff5ff08485a9027c055c02e1edc3f10bc4721418f6b6fb0ffe0b3a9134544

SHA512
eb6ac82c882b761821c390d608f2b2d747229a9a5360b179aad2975f57b2533891094b26c500f25c2a8f0ece3b7fb1229917093bd5e37645bc8cf7d2b8198a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\474490143322
Filesize
74KB

MD5
f8e5d49aecf7aa56f2b383151f892a70

SHA1
937101feca124f77952c9ce6845bf53bc7a066c1

SHA256
dadffea243eadd0d3e80b194e1e7c2ddda4a7b53685a84f057ef1cddbae72d95

SHA512
dde59fb995a4fc4a6ca7e589d23d1ecd6f89b3477f9e1eb4c34776e3a4041b2c15621cbaccdec878b1f7a6cd9ff1a64e591cbf0b3bf8f9a3b2e463446787fcfa

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
C:\Windows\Temp\{D11CAEA8-4BC5-4B10-84FB-FDECEA0EEB7E}\.cr\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
Filesize
4.4MB

MD5
e3635175852f9b41caa9e0b1f7484dbf

SHA1
ceab4f1b5ead34586addcd351b9528c2dc5627e1

SHA256
5de2f55d796eb45ec0136e33108d3b1fd1220335d061371718b0b42301bb7bd2

SHA512
ceba4d44e64c3386aeac70d7ee4f6dc468626f6e7e80fc01a28b07cc28a160d03d8f6ecc36f419b9c8bf6a6c942d4aa53602a26952359c36b39be4bd51428a7f

Download Submit
C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\Tiderip.dll
Filesize
1.2MB

MD5
a632842bba74492720c9a6f9a8ad231c

SHA1
f361debaf17b08174e49ed9a35d99bffb3dc0510

SHA256
52b6310d121e91b42a44c24bfd6d1369d1d4388c56260dd4b05ac06225bab8d8

SHA512
0f36c56e7ce72860633b76ceb524c8cd3b634c2f672a7106438de4b4a5ea0a828fe1f67680d1414ff92432f70d762262e6c83427bdae794ac16549c38972d0d4

Download Submit
C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\film.php
Filesize
67KB

MD5
43afa90c95cc223a5d86d67ffad9abcc

SHA1
9f142e11ed9331292227247cb842cd4c5a82773d

SHA256
a5295f0cd05655c1c79f5000bef797c390f4df2f6b05d0febb65f26cda076411

SHA512
a9ad8ef8faf059c2f70127aad6f0cb31831f42b75a773ba4186a257fefba377791cea0c96f3ac3ec10a7cab947ff75f1876570ef038f526b87cae5e6579dac36

Download Submit
C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\python310.dll
Filesize
4.3MB

MD5
ba6483887ff60e3a7c5eebbba62ed060

SHA1
964c38a1c2519f7368ef2c94fbba6a24856d3fe3

SHA256
198db1aeac214915511a90095b867935d197e419423134fd1f8934e81498e89f

SHA512
0cf38a6177676554b74582691548325240d5ebfbb6a562a392a69aea01944038aa82d90017720998d08ee3eb6e517d0a6b367eac2197ffa27deeca4217fb2fad

Download Submit
C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\pythonw.exe
Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Windows\Temp\{FFEBE98E-2720-4631-ADB4-3C6817BF9538}\.ba\raphe.doc
Filesize
900KB

MD5
2c247fc433fb1ade899955ac89e8102f

SHA1
22428f24ce4384565357ad88650e4f6b94a15e4b

SHA256
154f9f3d968721528a0e7453a723e2b480b06cb1bd294721be5debf4cc3f836f

SHA512
98e2e5b2dbc551295f540d3682470389d892d68fa08e3fc325fc188300870f1a02289c2527e472bb60a62b917fb440115a86ba183c2998ad3dffe4a8263f4993

Download Submit
memory/1456-13-0x00000000696C0000-0x00000000697F0000-memory.dmp

Filesize
1.2MB

Download
memory/2132-45-0x0000000075550000-0x00000000756CD000-memory.dmp

Filesize
1.5MB

Download
memory/2132-44-0x00007FF81C5E0000-0x00007FF81C7E9000-memory.dmp

Filesize
2.0MB

Download
memory/2848-41-0x00007FFFFB7D0000-0x00007FFFFB94A000-memory.dmp

Filesize
1.5MB

Download
memory/2848-40-0x00007FFFFB7D0000-0x00007FFFFB94A000-memory.dmp

Filesize
1.5MB

Download
memory/3216-24-0x00007FFFFB7D0000-0x00007FFFFB94A000-memory.dmp

Filesize
1.5MB

Download
memory/4192-47-0x00007FF81C5E0000-0x00007FF81C7E9000-memory.dmp

Filesize
2.0MB

Download
memory/4192-48-0x0000000000A00000-0x0000000000A73000-memory.dmp

Filesize
460KB

Download
memory/4192-55-0x0000000000A00000-0x0000000000A73000-memory.dmp

Filesize
460KB

Download
memory/4192-67-0x0000000000A00000-0x0000000000A73000-memory.dmp

Filesize
460KB

Download
memory/4192-77-0x0000000000A00000-0x0000000000A73000-memory.dmp

Filesize
460KB

Download
memory/4192-83-0x0000000000A00000-0x0000000000A73000-memory.dmp

Filesize
460KB

Download