amadey | aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
Size

4.5MB
MD5

39103d2ddc8be33f1c9ecd4f66631ef1
SHA1

9d0f8e138071ba7ef007c4782d1de5c9dbdb39e1
SHA256

aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5
SHA512

e3314f5af251043193c563969840cb9c18e7942980ed143c50e813473d7c37d3daa2f26e1c26a0a48d38452c9546f953fe66b4e23cd1dc7a59c9eefc5c438e9e
SSDEEP

98304:cfUb8pAxsOBSexdGzByOahalkaX7EgPHx8lPw2GiqVGf2s7x9tMOmn:cfU+OsvwoYOau3gosPbk4f/b0

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exepythonw.exepythonw.exe

pid process

5092 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
4284 pythonw.exe
3356 pythonw.exe
Loads dropped DLL 5 IoCs

Processes:

aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exepythonw.exepythonw.exe

pid process

5092 aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
4284 pythonw.exe
4284 pythonw.exe
3356 pythonw.exe
3356 pythonw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pythonw.exe

description pid process target process

PID 3356 set thread context of 4288 3356 pythonw.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

pythonw.exepythonw.execmd.exe

pid process

4284 pythonw.exe
3356 pythonw.exe
3356 pythonw.exe
4288 cmd.exe
4288 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pythonw.execmd.exe

pid process

3356 pythonw.exe
4288 cmd.exe

pid	process
5092	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
4284	pythonw.exe
3356	pythonw.exe

pid	process
5092	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
4284	pythonw.exe
4284	pythonw.exe
3356	pythonw.exe
3356	pythonw.exe

description	pid	process	target process
PID 3356 set thread context of 4288	3356	pythonw.exe	cmd.exe

pid	process
4284	pythonw.exe
3356	pythonw.exe
3356	pythonw.exe
4288	cmd.exe
4288	cmd.exe

pid	process
3356	pythonw.exe
4288	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exeaaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exepythonw.exepythonw.execmd.exe

description	pid	process	target process
PID 4844 wrote to memory of 5092	4844	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
PID 4844 wrote to memory of 5092	4844	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
PID 4844 wrote to memory of 5092	4844	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
PID 5092 wrote to memory of 4284	5092	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe	pythonw.exe
PID 5092 wrote to memory of 4284	5092	aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe	pythonw.exe
PID 4284 wrote to memory of 3356	4284	pythonw.exe	pythonw.exe
PID 4284 wrote to memory of 3356	4284	pythonw.exe	pythonw.exe
PID 3356 wrote to memory of 4288	3356	pythonw.exe	cmd.exe
PID 3356 wrote to memory of 4288	3356	pythonw.exe	cmd.exe
PID 3356 wrote to memory of 4288	3356	pythonw.exe	cmd.exe
PID 3356 wrote to memory of 4288	3356	pythonw.exe	cmd.exe
PID 4288 wrote to memory of 4696	4288	cmd.exe	explorer.exe
PID 4288 wrote to memory of 4696	4288	cmd.exe	explorer.exe
PID 4288 wrote to memory of 4696	4288	cmd.exe	explorer.exe
PID 4288 wrote to memory of 4696	4288	cmd.exe	explorer.exe
PID 4288 wrote to memory of 4696	4288	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
"C:\Users\Admin\AppData\Local\Temp\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\Temp\{29C3A70E-B406-40C7-B3AA-BBE628D9E258}\.cr\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
"C:\Windows\Temp\{29C3A70E-B406-40C7-B3AA-BBE628D9E258}\.cr\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe" -burn.filehandle.attached=684 -burn.filehandle.self=544
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\pythonw.exe
"C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\pythonw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe
C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48ac8499
Filesize
1.1MB

MD5
b0db5272e698b3a0a30c5f46b3303971

SHA1
495b34eed86b582b0b49c66a70a9a0efc731dea9

SHA256
8cca360f779cabb8db3e22c639cd7ec2a70f4ac83fa84a2337a3dce8a5a01392

SHA512
fc8b8d26cc5195ea435b29b3de37750274a69556ddde686181c5d7ff5ddf14b5ebabccee001764bab91b19d4eb1dcb8d13a4804e10de0b431be683077a3472c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\808065738166
Filesize
82KB

MD5
493759d346659b51ab9c72d307b27c4a

SHA1
be7cbe3d91e619fdceff2e9b75c2dc810fcb6527

SHA256
f8bdeef5307e304ca4cc88168ac4e005ac068e17340adc9869d13cd8697456a2

SHA512
3c3c0c8bb47f7c09f892c430ad3e1909dc1c315e4a5c13d485232cd99e004f95fcb30d7de34aa7b2027faf3ce2e33e266477eeb3fa80e0f9b0000419879a58e1

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
C:\Windows\Temp\{29C3A70E-B406-40C7-B3AA-BBE628D9E258}\.cr\aaffbec59626a9acefa2b6c7effa8fea29fc0f3ea3ec9c8d32552e8c976dcbc5.exe
Filesize
4.4MB

MD5
e3635175852f9b41caa9e0b1f7484dbf

SHA1
ceab4f1b5ead34586addcd351b9528c2dc5627e1

SHA256
5de2f55d796eb45ec0136e33108d3b1fd1220335d061371718b0b42301bb7bd2

SHA512
ceba4d44e64c3386aeac70d7ee4f6dc468626f6e7e80fc01a28b07cc28a160d03d8f6ecc36f419b9c8bf6a6c942d4aa53602a26952359c36b39be4bd51428a7f

Download Submit
C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\Tiderip.dll
Filesize
1.2MB

MD5
a632842bba74492720c9a6f9a8ad231c

SHA1
f361debaf17b08174e49ed9a35d99bffb3dc0510

SHA256
52b6310d121e91b42a44c24bfd6d1369d1d4388c56260dd4b05ac06225bab8d8

SHA512
0f36c56e7ce72860633b76ceb524c8cd3b634c2f672a7106438de4b4a5ea0a828fe1f67680d1414ff92432f70d762262e6c83427bdae794ac16549c38972d0d4

Download Submit
C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\film.php
Filesize
67KB

MD5
43afa90c95cc223a5d86d67ffad9abcc

SHA1
9f142e11ed9331292227247cb842cd4c5a82773d

SHA256
a5295f0cd05655c1c79f5000bef797c390f4df2f6b05d0febb65f26cda076411

SHA512
a9ad8ef8faf059c2f70127aad6f0cb31831f42b75a773ba4186a257fefba377791cea0c96f3ac3ec10a7cab947ff75f1876570ef038f526b87cae5e6579dac36

Download Submit
C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\python310.dll
Filesize
4.3MB

MD5
ba6483887ff60e3a7c5eebbba62ed060

SHA1
964c38a1c2519f7368ef2c94fbba6a24856d3fe3

SHA256
198db1aeac214915511a90095b867935d197e419423134fd1f8934e81498e89f

SHA512
0cf38a6177676554b74582691548325240d5ebfbb6a562a392a69aea01944038aa82d90017720998d08ee3eb6e517d0a6b367eac2197ffa27deeca4217fb2fad

Download Submit
C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\pythonw.exe
Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Windows\Temp\{650A2A60-0E0F-47C8-9809-476B31030E36}\.ba\raphe.doc
Filesize
900KB

MD5
2c247fc433fb1ade899955ac89e8102f

SHA1
22428f24ce4384565357ad88650e4f6b94a15e4b

SHA256
154f9f3d968721528a0e7453a723e2b480b06cb1bd294721be5debf4cc3f836f

SHA512
98e2e5b2dbc551295f540d3682470389d892d68fa08e3fc325fc188300870f1a02289c2527e472bb60a62b917fb440115a86ba183c2998ad3dffe4a8263f4993

Download Submit
memory/3356-39-0x00007FFAE2D60000-0x00007FFAE2ED2000-memory.dmp

Filesize
1.4MB

Download
memory/3356-41-0x00007FFAE2D60000-0x00007FFAE2ED2000-memory.dmp

Filesize
1.4MB

Download
memory/4284-24-0x00007FFAE2D60000-0x00007FFAE2ED2000-memory.dmp

Filesize
1.4MB

Download
memory/4288-44-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp

Filesize
2.0MB

Download
memory/4288-45-0x0000000075990000-0x0000000075B0B000-memory.dmp

Filesize
1.5MB

Download
memory/4696-47-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp

Filesize
2.0MB

Download
memory/4696-48-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/4696-49-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/4696-51-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/4696-56-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/4696-68-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/4696-77-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/4696-83-0x0000000000C70000-0x0000000000CE3000-memory.dmp

Filesize
460KB

Download
memory/5092-13-0x00000000696C0000-0x00000000697F0000-memory.dmp

Filesize
1.2MB

Download