amadey | 6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9187c149528468a82c95ce22cdcc89.exe
Size

394KB
MD5

fb9187c149528468a82c95ce22cdcc89
SHA1

1b119e90d3c281357fcaa57a48ae62498b423a45
SHA256

6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4
SHA512

a89f27c6510046aa3dc88b2a0268077a060c7bf04cac0e49c6666144d8d861067ff33bd5142896a9fd8ec5669271db7c9e78db91b4eb123b73edc184a6cc50be
SSDEEP

6144:ulue+pRC5/Stc0+f7W0Q+3ag8s07pHepb9RiPY0BBrz+wyjTxxsDhkfC9JkCyuT:RjpRCprlQ+qqpbbig0nv+wc/GWW

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
3008	Dctooux.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	fb9187c149528468a82c95ce22cdcc89.exe
1988	fb9187c149528468a82c95ce22cdcc89.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	fb9187c149528468a82c95ce22cdcc89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	fb9187c149528468a82c95ce22cdcc89.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3008	1988	fb9187c149528468a82c95ce22cdcc89.exe	28
PID 1988 wrote to memory of 3008	1988	fb9187c149528468a82c95ce22cdcc89.exe	28
PID 1988 wrote to memory of 3008	1988	fb9187c149528468a82c95ce22cdcc89.exe	28
PID 1988 wrote to memory of 3008	1988	fb9187c149528468a82c95ce22cdcc89.exe	28

C:\Users\Admin\AppData\Local\Temp\fb9187c149528468a82c95ce22cdcc89.exe
"C:\Users\Admin\AppData\Local\Temp\fb9187c149528468a82c95ce22cdcc89.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\627615824406

Filesize
65KB

MD5
c4526a5e6cc6bbc4f78a9396c1d6e3d3

SHA1
090bf5b37365980497542a4313c4bff598d8804e

SHA256
b4ae2573706e85eb9766957f568808cf885328cab164ec22040e1a17e938bd73

SHA512
47e7225a61e6d2e62ad07b5c5a608f5198871c803498be67dcd621b3d35e438c569a1c9f49c8b44a3fa83f141ba4eebba0d01b224822b5235d48f6ecd011deec

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
394KB

MD5
fb9187c149528468a82c95ce22cdcc89

SHA1
1b119e90d3c281357fcaa57a48ae62498b423a45

SHA256
6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4

SHA512
a89f27c6510046aa3dc88b2a0268077a060c7bf04cac0e49c6666144d8d861067ff33bd5142896a9fd8ec5669271db7c9e78db91b4eb123b73edc184a6cc50be

Download Submit
memory/1988-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1988-7-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1988-20-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1988-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1988-18-0x0000000001E20000-0x0000000001E8F000-memory.dmp

Filesize
444KB

Download
memory/1988-2-0x0000000001E20000-0x0000000001E8F000-memory.dmp

Filesize
444KB

Download
memory/1988-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/3008-39-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3008-49-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3008-22-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3008-40-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3008-55-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3008-66-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3008-72-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download