amadey | 985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe
Size

440KB
MD5

7975c6314618a21c1280b28a7db82e9a
SHA1

2134904558aa14a68e73f177401baac2151263de
SHA256

985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e
SHA512

da4b23b5629f3a3b99cb20a361d6d32e39af2e47d78a98380534da5906d79a2e90a72420ef97c5c6cc81c45e6dd052157104f1a23d7d8effe90658c4587267db
SSDEEP

12288:4mOuV0e8bMOS1M5PzeLbiA1C3bGHmUayGpC:pSHndaEaSpC

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe

Executes dropped EXE 3 IoCs

pid	Process
4304	Dctooux.exe
1548	Dctooux.exe
1656	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
1768	4436	WerFault.exe	90
3096	4436	WerFault.exe	90
2004	4436	WerFault.exe	90
944	4436	WerFault.exe	90
3904	4436	WerFault.exe	90
1624	4436	WerFault.exe	90
5028	4436	WerFault.exe	90
2344	4436	WerFault.exe	90
4584	4436	WerFault.exe	90
3088	4436	WerFault.exe	90
5044	4304	WerFault.exe	117
2972	4304	WerFault.exe	117
4988	4304	WerFault.exe	117
4440	4304	WerFault.exe	117
1548	4304	WerFault.exe	117
3524	4304	WerFault.exe	117
3548	4304	WerFault.exe	117
2056	4304	WerFault.exe	117
4000	4304	WerFault.exe	117
2256	4304	WerFault.exe	117
2436	4304	WerFault.exe	117
2640	4304	WerFault.exe	117
2360	4304	WerFault.exe	117
1396	4304	WerFault.exe	117
3968	4304	WerFault.exe	117
3956	4304	WerFault.exe	117
944	1548	WerFault.exe	153
3848	1656	WerFault.exe	157
2700	4304	WerFault.exe	117

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4436	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4304	4436	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe	117
PID 4436 wrote to memory of 4304	4436	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe	117
PID 4436 wrote to memory of 4304	4436	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe	117

C:\Users\Admin\AppData\Local\Temp\985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe
"C:\Users\Admin\AppData\Local\Temp\985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 756
  2⤵
  - Program crash
  PID:1768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 804
  2⤵
  - Program crash
  PID:3096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 860
  2⤵
  - Program crash
  PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 868
  2⤵
  - Program crash
  PID:944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 872
  2⤵
  - Program crash
  PID:3904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 872
  2⤵
  - Program crash
  PID:1624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1128
  2⤵
  - Program crash
  PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1184
  2⤵
  - Program crash
  PID:2344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1244
  2⤵
  - Program crash
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 560
    3⤵
    - Program crash
    PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 568
    3⤵
    - Program crash
    PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 576
    3⤵
    - Program crash
    PID:4988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 584
    3⤵
    - Program crash
    PID:4440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 704
    3⤵
    - Program crash
    PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 888
    3⤵
    - Program crash
    PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 748
    3⤵
    - Program crash
    PID:3548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 716
    3⤵
    - Program crash
    PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 716
    3⤵
    - Program crash
    PID:4000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 748
    3⤵
    - Program crash
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 992
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1052
    3⤵
    - Program crash
    PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1080
    3⤵
    - Program crash
    PID:2360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1184
    3⤵
    - Program crash
    PID:1396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1408
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 1480
    3⤵
    - Program crash
    PID:3956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 892
    3⤵
    - Program crash
    PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 772
  2⤵
  - Program crash
  PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4436 -ip 4436
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4436 -ip 4436
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4436 -ip 4436
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4436 -ip 4436
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4436 -ip 4436
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4436 -ip 4436
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4436 -ip 4436
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4436 -ip 4436
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4436 -ip 4436
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4436 -ip 4436
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4304 -ip 4304
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4304 -ip 4304
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4304 -ip 4304
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4304 -ip 4304
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4304 -ip 4304
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4304 -ip 4304
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4304 -ip 4304
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4304 -ip 4304
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4304 -ip 4304
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4304 -ip 4304
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4304 -ip 4304
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4304 -ip 4304
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4304 -ip 4304
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4304 -ip 4304
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4304 -ip 4304
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4304 -ip 4304
1⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 448
  2⤵
  - Program crash
  PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1548 -ip 1548
1⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 452
  2⤵
  - Program crash
  PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1656 -ip 1656
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4304 -ip 4304
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\808065738166

Filesize
78KB

MD5
6c4bfff2c3e108ab77b55354a1a1563b

SHA1
3edfd40221dc687c0176bf0e457388c3f40a5fc8

SHA256
b6cdebd1e7159a35a450b9ffc23d472b38cba1aa373211b3821ecb9bd15e01ad

SHA512
8142042a43159360d76beedfcfd7cdb99cf2876313d10110ebd09cb36b789f37368026f7b35a5d1b85ad6f6915e0d5383fa3e850a5bac3ff55e48d2f392e772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
440KB

MD5
7975c6314618a21c1280b28a7db82e9a

SHA1
2134904558aa14a68e73f177401baac2151263de

SHA256
985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e

SHA512
da4b23b5629f3a3b99cb20a361d6d32e39af2e47d78a98380534da5906d79a2e90a72420ef97c5c6cc81c45e6dd052157104f1a23d7d8effe90658c4587267db

Download Submit
memory/1548-41-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/1548-42-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/1548-40-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/1656-52-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4304-30-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4304-44-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4304-18-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4436-2-0x00000000023F0000-0x000000000245B000-memory.dmp

Filesize
428KB

Download
memory/4436-5-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4436-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4436-1-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/4436-20-0x00000000023F0000-0x000000000245B000-memory.dmp

Filesize
428KB

Download
memory/4436-17-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4436-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download