amadey | 827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49

Analysis

max time kernel
142s
max time network
126s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe
Size

486KB
MD5

a301fc20b8e6b07d0ddb6909e3169b93
SHA1

d69d2f49fb497a9b7afb23e1b57b73f8967923c3
SHA256

827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49
SHA512

37e31daf432bad8e6b1455f6deba7cfbf44b646cf2f95ddf58e20abfb2f31ed9839cc959546dbef60613244c92b106ee0f532f360686273e0fbdfde2d9790924
SSDEEP

12288:6i6Q52wyGleITJYOlKO98B8CF6Yi3U1sSK:63G2wyHsCE8R6YZ1sS

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
2556	Dctooux.exe

Loads dropped DLL 2 IoCs

pid	Process
1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe
1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2556	1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	28
PID 1120 wrote to memory of 2556	1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	28
PID 1120 wrote to memory of 2556	1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	28
PID 1120 wrote to memory of 2556	1120	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	28

C:\Users\Admin\AppData\Local\Temp\827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe
"C:\Users\Admin\AppData\Local\Temp\827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\721934792624

Filesize
61KB

MD5
985f144379e66fab12dc4870618b178a

SHA1
8be996ceed9825f29ee677fafde67e52bb5c926b

SHA256
94ec05b1aac4d5897d25259d8fde38413e83fd6ba27fa6f19bc30bf04d4cf484

SHA512
a0d37b0d4fd1593c6f9dc18c68d7492aa5d4f9834da0372b60dec9f789ea4bfcd67e39f8d5b52a3171520aacbe8d7f8e8964aa9ae0b8af595ad1b48bc6fb139d

Download Submit
\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
486KB

MD5
a301fc20b8e6b07d0ddb6909e3169b93

SHA1
d69d2f49fb497a9b7afb23e1b57b73f8967923c3

SHA256
827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49

SHA512
37e31daf432bad8e6b1455f6deba7cfbf44b646cf2f95ddf58e20abfb2f31ed9839cc959546dbef60613244c92b106ee0f532f360686273e0fbdfde2d9790924

Download Submit
memory/1120-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1120-2-0x0000000000300000-0x000000000036B000-memory.dmp

Filesize
428KB

Download
memory/1120-1-0x0000000001CD0000-0x0000000001DD0000-memory.dmp

Filesize
1024KB

Download
memory/1120-18-0x0000000001CD0000-0x0000000001DD0000-memory.dmp

Filesize
1024KB

Download
memory/1120-20-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/1120-15-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/1120-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1120-39-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/2556-37-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download