amadey | 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
Size

4.4MB
MD5

3bea43a1f70e751778d17ff9db41b0a3
SHA1

3637c87f85c1f2d8526535f3de05b9943b5dd665
SHA256

83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3
SHA512

1638893ac4d7a0ee23e2e942e2a683ce5ff61365ef3020c9e4790a52e77901881a09a27cab4ef9d8539fdbc7af64675161651ac7500751c2c5bc4ae693a4ea20
SSDEEP

98304:cfUb8pAxsOBSexdGzByOahalkaX7EgPHx8lPw2GiqVGf2s7x9tMOmb:cfU+OsvwoYOau3gosPbk4f/b4

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exepythonw.exepythonw.exe

pid process

3056 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
1584 pythonw.exe
4612 pythonw.exe
Loads dropped DLL 5 IoCs

Processes:

83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exepythonw.exepythonw.exe

pid process

3056 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
1584 pythonw.exe
1584 pythonw.exe
4612 pythonw.exe
4612 pythonw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pythonw.exe

description pid process target process

PID 4612 set thread context of 3452 4612 pythonw.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

pythonw.exepythonw.execmd.exe

pid process

1584 pythonw.exe
4612 pythonw.exe
4612 pythonw.exe
3452 cmd.exe
3452 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pythonw.execmd.exe

pid process

4612 pythonw.exe
3452 cmd.exe

pid	process
3056	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
1584	pythonw.exe
4612	pythonw.exe

pid	process
3056	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
1584	pythonw.exe
1584	pythonw.exe
4612	pythonw.exe
4612	pythonw.exe

description	pid	process	target process
PID 4612 set thread context of 3452	4612	pythonw.exe	cmd.exe

pid	process
1584	pythonw.exe
4612	pythonw.exe
4612	pythonw.exe
3452	cmd.exe
3452	cmd.exe

pid	process
4612	pythonw.exe
3452	cmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exepythonw.exepythonw.execmd.exe

description	pid	process	target process
PID 3396 wrote to memory of 3056	3396	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
PID 3396 wrote to memory of 3056	3396	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
PID 3396 wrote to memory of 3056	3396	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
PID 3056 wrote to memory of 1584	3056	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe	pythonw.exe
PID 3056 wrote to memory of 1584	3056	83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe	pythonw.exe
PID 1584 wrote to memory of 4612	1584	pythonw.exe	pythonw.exe
PID 1584 wrote to memory of 4612	1584	pythonw.exe	pythonw.exe
PID 4612 wrote to memory of 3452	4612	pythonw.exe	cmd.exe
PID 4612 wrote to memory of 3452	4612	pythonw.exe	cmd.exe
PID 4612 wrote to memory of 3452	4612	pythonw.exe	cmd.exe
PID 4612 wrote to memory of 3452	4612	pythonw.exe	cmd.exe
PID 3452 wrote to memory of 3344	3452	cmd.exe	explorer.exe
PID 3452 wrote to memory of 3344	3452	cmd.exe	explorer.exe
PID 3452 wrote to memory of 3344	3452	cmd.exe	explorer.exe
PID 3452 wrote to memory of 3344	3452	cmd.exe	explorer.exe
PID 3452 wrote to memory of 3344	3452	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
"C:\Users\Admin\AppData\Local\Temp\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\Temp\{413F909C-12B5-4E0D-98B2-4D282693DB6C}\.cr\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
"C:\Windows\Temp\{413F909C-12B5-4E0D-98B2-4D282693DB6C}\.cr\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe" -burn.filehandle.attached=532 -burn.filehandle.self=540
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\pythonw.exe
"C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\pythonw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe
C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
PID:3344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\124900551406
Filesize
77KB

MD5
86965bd500e626275d6c271792145faa

SHA1
cb992ad1498e6c08c8d321b0c4481712ba00507a

SHA256
c6ff7eb45d24cbdcc54ebedecd67548611754d3de16e338119de310b0f4f18ad

SHA512
29fc1a60696ca0780ca4fe57e0c637cd1186977c5b1f475d4c5c6ac2d98fd59aeda1ee10f15520276823ce7b76232a870eb609b5e9fb3ca152b827d4f7b886da

Download Submit
C:\Users\Admin\AppData\Local\Temp\63e2cdb8
Filesize
1.1MB

MD5
e36c0dd505b194ef9fd9a11826dc6196

SHA1
69e2362ac1b9daf4b30557363c361130e2330247

SHA256
5b927959b8562c7633fb64dc6961eac5e1293186d1b4e6924dae8330a3d0253b

SHA512
3603c7a151801a1bf5423639591865cbf8da11d20b737bcb1553a3cfe1da6cd1e80577ca53d283fec8b99aaa0c11e28c6ccb7dc47722f9d81cdb675154242eff

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
C:\Windows\Temp\{413F909C-12B5-4E0D-98B2-4D282693DB6C}\.cr\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
Filesize
4.4MB

MD5
e3635175852f9b41caa9e0b1f7484dbf

SHA1
ceab4f1b5ead34586addcd351b9528c2dc5627e1

SHA256
5de2f55d796eb45ec0136e33108d3b1fd1220335d061371718b0b42301bb7bd2

SHA512
ceba4d44e64c3386aeac70d7ee4f6dc468626f6e7e80fc01a28b07cc28a160d03d8f6ecc36f419b9c8bf6a6c942d4aa53602a26952359c36b39be4bd51428a7f

Download Submit
C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\Tiderip.dll
Filesize
1.2MB

MD5
a632842bba74492720c9a6f9a8ad231c

SHA1
f361debaf17b08174e49ed9a35d99bffb3dc0510

SHA256
52b6310d121e91b42a44c24bfd6d1369d1d4388c56260dd4b05ac06225bab8d8

SHA512
0f36c56e7ce72860633b76ceb524c8cd3b634c2f672a7106438de4b4a5ea0a828fe1f67680d1414ff92432f70d762262e6c83427bdae794ac16549c38972d0d4

Download Submit
C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\film.php
Filesize
67KB

MD5
43afa90c95cc223a5d86d67ffad9abcc

SHA1
9f142e11ed9331292227247cb842cd4c5a82773d

SHA256
a5295f0cd05655c1c79f5000bef797c390f4df2f6b05d0febb65f26cda076411

SHA512
a9ad8ef8faf059c2f70127aad6f0cb31831f42b75a773ba4186a257fefba377791cea0c96f3ac3ec10a7cab947ff75f1876570ef038f526b87cae5e6579dac36

Download Submit
C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\python310.dll
Filesize
4.3MB

MD5
ba6483887ff60e3a7c5eebbba62ed060

SHA1
964c38a1c2519f7368ef2c94fbba6a24856d3fe3

SHA256
198db1aeac214915511a90095b867935d197e419423134fd1f8934e81498e89f

SHA512
0cf38a6177676554b74582691548325240d5ebfbb6a562a392a69aea01944038aa82d90017720998d08ee3eb6e517d0a6b367eac2197ffa27deeca4217fb2fad

Download Submit
C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\pythonw.exe
Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\raphe.doc
Filesize
900KB

MD5
2c247fc433fb1ade899955ac89e8102f

SHA1
22428f24ce4384565357ad88650e4f6b94a15e4b

SHA256
154f9f3d968721528a0e7453a723e2b480b06cb1bd294721be5debf4cc3f836f

SHA512
98e2e5b2dbc551295f540d3682470389d892d68fa08e3fc325fc188300870f1a02289c2527e472bb60a62b917fb440115a86ba183c2998ad3dffe4a8263f4993

Download Submit
C:\Windows\Temp\{9B372D21-77EF-4DA4-BA8E-BCF86E2C3AA7}\.ba\vcruntime140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
memory/1584-24-0x00007FF8E4050000-0x00007FF8E41C2000-memory.dmp

Filesize
1.4MB

Download
memory/3056-13-0x00000000696C0000-0x00000000697F0000-memory.dmp

Filesize
1.2MB

Download
memory/3344-48-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3344-47-0x00007FF9028D0000-0x00007FF902AC5000-memory.dmp

Filesize
2.0MB

Download
memory/3344-54-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3344-66-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3344-76-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3344-82-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3452-45-0x0000000075AD0000-0x0000000075C4B000-memory.dmp

Filesize
1.5MB

Download
memory/3452-44-0x00007FF9028D0000-0x00007FF902AC5000-memory.dmp

Filesize
2.0MB

Download
memory/4612-41-0x00007FF8E4050000-0x00007FF8E41C2000-memory.dmp

Filesize
1.4MB

Download
memory/4612-40-0x00007FF8E4050000-0x00007FF8E41C2000-memory.dmp

Filesize
1.4MB

Download