amadey | 8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
05/06/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe
Size

442KB
MD5

0172a14cc31c07e8297ea92083c94551
SHA1

457abd00a63729c1a5ed3f259e9d2865184a9f3d
SHA256

8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5
SHA512

1a9c6f225e44015485fda7531233bcf09e5303965aed791475de1b783f00574d6d2cd2424e7eb3df3a57884420564ab8f733541e7ed01dacc591a370e4de326f
SSDEEP

12288:MUwAyBoj109MuP7/EQv2xZvOaOujZpHGY:b6SuMuLIxzX1UY

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1592	Dctooux.exe
4604	Dctooux.exe
792	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4240	1252	WerFault.exe	76
3460	1252	WerFault.exe	76
4920	1252	WerFault.exe	76
4312	1252	WerFault.exe	76
1372	1252	WerFault.exe	76
2988	1252	WerFault.exe	76
4880	1252	WerFault.exe	76
1048	1252	WerFault.exe	76
1576	1252	WerFault.exe	76
2976	1252	WerFault.exe	76
2816	1592	WerFault.exe	96
2636	1592	WerFault.exe	96
4780	1592	WerFault.exe	96
560	1592	WerFault.exe	96
2160	1592	WerFault.exe	96
3912	1592	WerFault.exe	96
2824	1592	WerFault.exe	96
1232	1592	WerFault.exe	96
3396	1592	WerFault.exe	96
2532	1592	WerFault.exe	96
132	1592	WerFault.exe	96
2692	1592	WerFault.exe	96
248	1592	WerFault.exe	96
2400	1592	WerFault.exe	96
3160	1592	WerFault.exe	96
1420	1592	WerFault.exe	96
424	4604	WerFault.exe	131
3100	792	WerFault.exe	134
4100	1592	WerFault.exe	96

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1252	8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1592	1252	8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe	96
PID 1252 wrote to memory of 1592	1252	8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe	96
PID 1252 wrote to memory of 1592	1252	8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe	96

C:\Users\Admin\AppData\Local\Temp\8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe
"C:\Users\Admin\AppData\Local\Temp\8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 776
  2⤵
  - Program crash
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 788
  2⤵
  - Program crash
  PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 880
  2⤵
  - Program crash
  PID:4920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 956
  2⤵
  - Program crash
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 952
  2⤵
  - Program crash
  PID:1372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 976
  2⤵
  - Program crash
  PID:2988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 988
  2⤵
  - Program crash
  PID:4880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1044
  2⤵
  - Program crash
  PID:1048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1136
  2⤵
  - Program crash
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 588
    3⤵
    - Program crash
    PID:2816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 608
    3⤵
    - Program crash
    PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 648
    3⤵
    - Program crash
    PID:4780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 672
    3⤵
    - Program crash
    PID:560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 644
    3⤵
    - Program crash
    PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 900
    3⤵
    - Program crash
    PID:3912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 932
    3⤵
    - Program crash
    PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 972
    3⤵
    - Program crash
    PID:1232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 588
    3⤵
    - Program crash
    PID:3396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1012
    3⤵
    - Program crash
    PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1064
    3⤵
    - Program crash
    PID:132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1228
    3⤵
    - Program crash
    PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1448
    3⤵
    - Program crash
    PID:248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1076
    3⤵
    - Program crash
    PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1484
    3⤵
    - Program crash
    PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1472
    3⤵
    - Program crash
    PID:1420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 904
    3⤵
    - Program crash
    PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1288
  2⤵
  - Program crash
  PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1252 -ip 1252
1⤵
PID:76

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1252 -ip 1252
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1252 -ip 1252
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1252 -ip 1252
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1252 -ip 1252
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1252 -ip 1252
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1252 -ip 1252
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1252 -ip 1252
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1252 -ip 1252
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1252 -ip 1252
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1592 -ip 1592
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1592 -ip 1592
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1592 -ip 1592
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1592 -ip 1592
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1592 -ip 1592
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1592 -ip 1592
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1592 -ip 1592
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1592 -ip 1592
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1592 -ip 1592
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1592 -ip 1592
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1592 -ip 1592
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1592 -ip 1592
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1592 -ip 1592
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1592 -ip 1592
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1592 -ip 1592
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1592 -ip 1592
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 476
  2⤵
  - Program crash
  PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4604 -ip 4604
1⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 476
  2⤵
  - Program crash
  PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 792 -ip 792
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1592 -ip 1592
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\551177587377

Filesize
74KB

MD5
ab055b1c59dc85fb287d597643d26ec5

SHA1
f01819e5acc7e85164643dd393ce6ccf75d83ed7

SHA256
8a21c3e3654a721b09560ac2dc2559c39340b07ac9caec318f1f7377499b5e03

SHA512
9efb81a488880a6687c78b428973214b1d396a8d3a421d2e3629a49efd6e412bdec44aeec57091e56419f127a3d8af00f40694849bbf642242c7a81501419c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
442KB

MD5
0172a14cc31c07e8297ea92083c94551

SHA1
457abd00a63729c1a5ed3f259e9d2865184a9f3d

SHA256
8d46c40c409984308bf9a43673dcfd97a9b460114869194e8163aaf06d74f2d5

SHA512
1a9c6f225e44015485fda7531233bcf09e5303965aed791475de1b783f00574d6d2cd2424e7eb3df3a57884420564ab8f733541e7ed01dacc591a370e4de326f

Download Submit
memory/792-51-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/1252-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1252-17-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/1252-2-0x0000000002510000-0x000000000257B000-memory.dmp

Filesize
428KB

Download
memory/1252-18-0x0000000002510000-0x000000000257B000-memory.dmp

Filesize
428KB

Download
memory/1252-1-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/1252-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1592-16-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/1592-35-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4604-41-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4604-42-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download