amadey | 827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe
Size

486KB
MD5

a301fc20b8e6b07d0ddb6909e3169b93
SHA1

d69d2f49fb497a9b7afb23e1b57b73f8967923c3
SHA256

827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49
SHA512

37e31daf432bad8e6b1455f6deba7cfbf44b646cf2f95ddf58e20abfb2f31ed9839cc959546dbef60613244c92b106ee0f532f360686273e0fbdfde2d9790924
SSDEEP

12288:6i6Q52wyGleITJYOlKO98B8CF6Yi3U1sSK:63G2wyHsCE8R6YZ1sS

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe

Executes dropped EXE 3 IoCs

pid	Process
4064	Dctooux.exe
2120	Dctooux.exe
1564	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
2444	868	WerFault.exe	81
4080	868	WerFault.exe	81
1116	868	WerFault.exe	81
3600	868	WerFault.exe	81
4820	868	WerFault.exe	81
1576	868	WerFault.exe	81
1196	868	WerFault.exe	81
4076	868	WerFault.exe	81
1812	868	WerFault.exe	81
3556	868	WerFault.exe	81
5020	4064	WerFault.exe	108
4104	4064	WerFault.exe	108
2524	4064	WerFault.exe	108
4172	4064	WerFault.exe	108
2300	4064	WerFault.exe	108
3552	4064	WerFault.exe	108
412	4064	WerFault.exe	108
4636	4064	WerFault.exe	108
4596	4064	WerFault.exe	108
2988	4064	WerFault.exe	108
3344	4064	WerFault.exe	108
704	4064	WerFault.exe	108
2592	4064	WerFault.exe	108
2612	4064	WerFault.exe	108
4776	4064	WerFault.exe	108
3040	2120	WerFault.exe	145
4596	1564	WerFault.exe	148
3920	4064	WerFault.exe	108

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
868	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4064	868	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	108
PID 868 wrote to memory of 4064	868	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	108
PID 868 wrote to memory of 4064	868	827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe	108

C:\Users\Admin\AppData\Local\Temp\827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe
"C:\Users\Admin\AppData\Local\Temp\827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 748
  2⤵
  - Program crash
  PID:2444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 804
  2⤵
  - Program crash
  PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 820
  2⤵
  - Program crash
  PID:1116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 908
  2⤵
  - Program crash
  PID:3600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 932
  2⤵
  - Program crash
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 832
  2⤵
  - Program crash
  PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1144
  2⤵
  - Program crash
  PID:1196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1232
  2⤵
  - Program crash
  PID:4076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1296
  2⤵
  - Program crash
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 560
    3⤵
    - Program crash
    PID:5020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 600
    3⤵
    - Program crash
    PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 624
    3⤵
    - Program crash
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 664
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 720
    3⤵
    - Program crash
    PID:2300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 888
    3⤵
    - Program crash
    PID:3552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 908
    3⤵
    - Program crash
    PID:412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 932
    3⤵
    - Program crash
    PID:4636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 736
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 916
    3⤵
    - Program crash
    PID:2988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1036
    3⤵
    - Program crash
    PID:3344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1160
    3⤵
    - Program crash
    PID:704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1372
    3⤵
    - Program crash
    PID:2592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1424
    3⤵
    - Program crash
    PID:2612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1436
    3⤵
    - Program crash
    PID:4776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 892
    3⤵
    - Program crash
    PID:3920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1492
  2⤵
  - Program crash
  PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 868 -ip 868
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 868 -ip 868
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 868 -ip 868
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 868 -ip 868
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 868 -ip 868
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 868 -ip 868
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 868 -ip 868
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 868 -ip 868
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 868 -ip 868
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 868 -ip 868
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4064 -ip 4064
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4064 -ip 4064
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4064 -ip 4064
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4064 -ip 4064
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4064 -ip 4064
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4064 -ip 4064
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4064 -ip 4064
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4064 -ip 4064
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4064 -ip 4064
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4064 -ip 4064
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4064 -ip 4064
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4064 -ip 4064
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4064 -ip 4064
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4064 -ip 4064
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4064 -ip 4064
1⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 448
  2⤵
  - Program crash
  PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2120 -ip 2120
1⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 444
  2⤵
  - Program crash
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1564 -ip 1564
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4064 -ip 4064
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\404046346511

Filesize
75KB

MD5
9d884cd5b6ac3f356790545c830d82fb

SHA1
7741e72614e4f3b245b824710b37f4b0c03f1480

SHA256
550bdbbdf14441e8867ba4f19e896f81599c72d9d9830c1584ad601ba1df768f

SHA512
407772bf7954d50808bf53beba02df30850881fface8355753544579d6417567e128adf941ea7ae9bdf2aec192f134403252325fa829c1102320c82d33f99cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
192KB

MD5
f9a97381b1b5ba0c17db9630133dfb76

SHA1
d9b741b642c17e1a06a326ca7fa03b1818309948

SHA256
7fc7db121088920a52c655164b52b14c96d87f3a0487f7c87b1e7e93780ffba4

SHA512
f8795b85ce135db33bd3e2842cc8499d889a114e6bdd1cc9742ceddf4e4e887974f3ae6413ee9cda37477df5196a5cba5a242167a6921567e1e845b59f22cb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
448KB

MD5
b41caa84b9fd732fda19634bba3ede3d

SHA1
55cb6ffc5708da4ffb9700a02dd4d43960b6c13d

SHA256
876edfb20e3d3a0bb7b2aefd8abda077fe0d10b523fe477b310de4ec3f3056fb

SHA512
0c6a40439a8853e1e718d80802525d261ffd6711bff30efbfa496100632fe10fadc11bdcb8537aa0bf28bcbb2ae039276deceb22946be21fba4fefb2beda26a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
486KB

MD5
a301fc20b8e6b07d0ddb6909e3169b93

SHA1
d69d2f49fb497a9b7afb23e1b57b73f8967923c3

SHA256
827052af840de6cb2310b29985b84428828a8d2aebb4bd76c23395fc7fefec49

SHA512
37e31daf432bad8e6b1455f6deba7cfbf44b646cf2f95ddf58e20abfb2f31ed9839cc959546dbef60613244c92b106ee0f532f360686273e0fbdfde2d9790924

Download Submit
memory/868-20-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/868-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/868-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/868-21-0x0000000002120000-0x000000000218B000-memory.dmp

Filesize
428KB

Download
memory/868-1-0x0000000001DC0000-0x0000000001EC0000-memory.dmp

Filesize
1024KB

Download
memory/868-2-0x0000000002120000-0x000000000218B000-memory.dmp

Filesize
428KB

Download
memory/1564-52-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/2120-43-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/4064-19-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/4064-31-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download
memory/4064-39-0x0000000000400000-0x0000000001BF5000-memory.dmp

Filesize
24.0MB

Download