amadey | 985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e

Analysis

max time kernel
144s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
05/06/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe
Size

440KB
MD5

7975c6314618a21c1280b28a7db82e9a
SHA1

2134904558aa14a68e73f177401baac2151263de
SHA256

985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e
SHA512

da4b23b5629f3a3b99cb20a361d6d32e39af2e47d78a98380534da5906d79a2e90a72420ef97c5c6cc81c45e6dd052157104f1a23d7d8effe90658c4587267db
SSDEEP

12288:4mOuV0e8bMOS1M5PzeLbiA1C3bGHmUayGpC:pSHndaEaSpC

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
4080	Dctooux.exe
4708	Dctooux.exe
3380	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
368	2884	WerFault.exe	75
4044	2884	WerFault.exe	75
3608	2884	WerFault.exe	75
1660	2884	WerFault.exe	75
420	2884	WerFault.exe	75
4992	2884	WerFault.exe	75
2532	2884	WerFault.exe	75
2968	2884	WerFault.exe	75
1680	2884	WerFault.exe	75
4864	2884	WerFault.exe	75
1012	4080	WerFault.exe	95
2056	4080	WerFault.exe	95
1608	4080	WerFault.exe	95
3916	4080	WerFault.exe	95
1176	4080	WerFault.exe	95
2072	4080	WerFault.exe	95
3188	4080	WerFault.exe	95
4804	4080	WerFault.exe	95
380	4080	WerFault.exe	95
1276	4080	WerFault.exe	95
1980	4080	WerFault.exe	95
3920	4080	WerFault.exe	95
4336	4080	WerFault.exe	95
4836	4080	WerFault.exe	95
4024	4080	WerFault.exe	95
4580	4080	WerFault.exe	95
1956	4708	WerFault.exe	130
2980	3380	WerFault.exe	133
2652	4080	WerFault.exe	95

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2884	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 4080	2884	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe	95
PID 2884 wrote to memory of 4080	2884	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe	95
PID 2884 wrote to memory of 4080	2884	985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe	95

C:\Users\Admin\AppData\Local\Temp\985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe
"C:\Users\Admin\AppData\Local\Temp\985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 780
  2⤵
  - Program crash
  PID:368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 824
  2⤵
  - Program crash
  PID:4044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 880
  2⤵
  - Program crash
  PID:3608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 928
  2⤵
  - Program crash
  PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 936
  2⤵
  - Program crash
  PID:420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 952
  2⤵
  - Program crash
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1020
  2⤵
  - Program crash
  PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1064
  2⤵
  - Program crash
  PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1136
  2⤵
  - Program crash
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 588
    3⤵
    - Program crash
    PID:1012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 608
    3⤵
    - Program crash
    PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 628
    3⤵
    - Program crash
    PID:1608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 656
    3⤵
    - Program crash
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 764
    3⤵
    - Program crash
    PID:1176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 900
    3⤵
    - Program crash
    PID:2072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 920
    3⤵
    - Program crash
    PID:3188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 724
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 724
    3⤵
    - Program crash
    PID:380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 952
    3⤵
    - Program crash
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1064
    3⤵
    - Program crash
    PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1072
    3⤵
    - Program crash
    PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1448
    3⤵
    - Program crash
    PID:4336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1456
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1444
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1468
    3⤵
    - Program crash
    PID:4580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 904
    3⤵
    - Program crash
    PID:2652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 848
  2⤵
  - Program crash
  PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2884 -ip 2884
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2884 -ip 2884
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2884 -ip 2884
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2884 -ip 2884
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2884 -ip 2884
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2884 -ip 2884
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2884 -ip 2884
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2884 -ip 2884
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2884 -ip 2884
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2884 -ip 2884
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4080 -ip 4080
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4080 -ip 4080
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4080 -ip 4080
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4080 -ip 4080
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4080 -ip 4080
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4080 -ip 4080
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4080 -ip 4080
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4080 -ip 4080
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4080 -ip 4080
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4080 -ip 4080
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4080 -ip 4080
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4080 -ip 4080
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4080 -ip 4080
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 476
  2⤵
  - Program crash
  PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4708 -ip 4708
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 476
  2⤵
  - Program crash
  PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3380 -ip 3380
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4080 -ip 4080
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\062789476783

Filesize
77KB

MD5
cc2864ab5900ac452ea9bc2859c92a2e

SHA1
3199bd434a20273283659a251e9e36e643597e0d

SHA256
003bb5d575d47b3eb8ecf6e3657547e34f810f38be23e39e1b478372e3e253fe

SHA512
8fea6f1d937f4c020285e6bea44cd6ca05deb9e4b5a4a50ce87e5e79a348aceae8443df65c6d9a0f95a7a74750482ae93e2ad9d6cde472f78519b2dd36b1cfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
440KB

MD5
7975c6314618a21c1280b28a7db82e9a

SHA1
2134904558aa14a68e73f177401baac2151263de

SHA256
985c7a62468a259da64566006003ee5f09c68701af736e2497901acd9c3a254e

SHA512
da4b23b5629f3a3b99cb20a361d6d32e39af2e47d78a98380534da5906d79a2e90a72420ef97c5c6cc81c45e6dd052157104f1a23d7d8effe90658c4587267db

Download Submit
memory/2884-1-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/2884-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2884-2-0x00000000023F0000-0x000000000245B000-memory.dmp

Filesize
428KB

Download
memory/2884-17-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/2884-18-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3380-50-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4080-16-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4080-34-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4708-40-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4708-41-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download