amadey | 6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9187c149528468a82c95ce22cdcc89.exe
Size

394KB
MD5

fb9187c149528468a82c95ce22cdcc89
SHA1

1b119e90d3c281357fcaa57a48ae62498b423a45
SHA256

6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4
SHA512

a89f27c6510046aa3dc88b2a0268077a060c7bf04cac0e49c6666144d8d861067ff33bd5142896a9fd8ec5669271db7c9e78db91b4eb123b73edc184a6cc50be
SSDEEP

6144:ulue+pRC5/Stc0+f7W0Q+3ag8s07pHepb9RiPY0BBrz+wyjTxxsDhkfC9JkCyuT:RjpRCprlQ+qqpbbig0nv+wc/GWW

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	fb9187c149528468a82c95ce22cdcc89.exe

Executes dropped EXE 3 IoCs

pid	Process
1712	Dctooux.exe
3024	Dctooux.exe
3220	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	fb9187c149528468a82c95ce22cdcc89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1676	3708	WerFault.exe	89
516	3708	WerFault.exe	89
1728	3708	WerFault.exe	89
3384	3708	WerFault.exe	89
2796	3708	WerFault.exe	89
4780	3708	WerFault.exe	89
3936	3708	WerFault.exe	89
924	3708	WerFault.exe	89
4564	3708	WerFault.exe	89
376	3708	WerFault.exe	89
3044	1712	WerFault.exe	118
4620	1712	WerFault.exe	118
3996	1712	WerFault.exe	118
456	1712	WerFault.exe	118
1316	1712	WerFault.exe	118
4904	1712	WerFault.exe	118
3936	1712	WerFault.exe	118
1816	1712	WerFault.exe	118
2692	1712	WerFault.exe	118
2740	1712	WerFault.exe	118
4352	1712	WerFault.exe	118
2460	1712	WerFault.exe	118
2724	1712	WerFault.exe	118
2892	1712	WerFault.exe	118
2688	1712	WerFault.exe	118
3024	1712	WerFault.exe	118
1364	1712	WerFault.exe	118
1364	3024	WerFault.exe	161
5016	1712	WerFault.exe	118
1240	3220	WerFault.exe	175
1016	1712	WerFault.exe	118

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3708	fb9187c149528468a82c95ce22cdcc89.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1712	3708	fb9187c149528468a82c95ce22cdcc89.exe	118
PID 3708 wrote to memory of 1712	3708	fb9187c149528468a82c95ce22cdcc89.exe	118
PID 3708 wrote to memory of 1712	3708	fb9187c149528468a82c95ce22cdcc89.exe	118

C:\Users\Admin\AppData\Local\Temp\fb9187c149528468a82c95ce22cdcc89.exe
"C:\Users\Admin\AppData\Local\Temp\fb9187c149528468a82c95ce22cdcc89.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 768
  2⤵
  - Program crash
  PID:1676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 780
  2⤵
  - Program crash
  PID:516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 872
  2⤵
  - Program crash
  PID:1728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 880
  2⤵
  - Program crash
  PID:3384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 876
  2⤵
  - Program crash
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 916
  2⤵
  - Program crash
  PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1136
  2⤵
  - Program crash
  PID:3936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1252
  2⤵
  - Program crash
  PID:924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1296
  2⤵
  - Program crash
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 564
    3⤵
    - Program crash
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 604
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 608
    3⤵
    - Program crash
    PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 596
    3⤵
    - Program crash
    PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 656
    3⤵
    - Program crash
    PID:1316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 692
    3⤵
    - Program crash
    PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 892
    3⤵
    - Program crash
    PID:3936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 892
    3⤵
    - Program crash
    PID:1816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 936
    3⤵
    - Program crash
    PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 696
    3⤵
    - Program crash
    PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 736
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 736
    3⤵
    - Program crash
    PID:2460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 736
    3⤵
    - Program crash
    PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1408
    3⤵
    - Program crash
    PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1376
    3⤵
    - Program crash
    PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1452
    3⤵
    - Program crash
    PID:3024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1412
    3⤵
    - Program crash
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1600
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 896
    3⤵
    - Program crash
    PID:1016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1312
  2⤵
  - Program crash
  PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3708 -ip 3708
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3708 -ip 3708
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3708 -ip 3708
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3708 -ip 3708
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3708 -ip 3708
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3708 -ip 3708
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3708 -ip 3708
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3708 -ip 3708
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3708 -ip 3708
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3708 -ip 3708
1⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1712 -ip 1712
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1712 -ip 1712
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1712 -ip 1712
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1712 -ip 1712
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1712 -ip 1712
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1712 -ip 1712
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1712 -ip 1712
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1712 -ip 1712
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1712 -ip 1712
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1712 -ip 1712
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1712 -ip 1712
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1712 -ip 1712
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1712 -ip 1712
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1712 -ip 1712
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1712 -ip 1712
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1712 -ip 1712
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1712 -ip 1712
1⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 452
  2⤵
  - Program crash
  PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3024 -ip 3024
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1712 -ip 1712
1⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 444
  2⤵
  - Program crash
  PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3220 -ip 3220
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1712 -ip 1712
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\181767204200

Filesize
79KB

MD5
b3c7c9dbadec90bfa58e723c2e53fb83

SHA1
6ebafebaa45ab420f1a061a9b78d0dc999ead095

SHA256
c58bc4cf7403196f2622ee951be5e7d40d8aff0b4577ebc8b24669851e6d4491

SHA512
4950bf79f39921f937ff951f34ac4c7068b9d32b996e372959c6e3732ca1b5428c9ca5c66416f779f948b3ecaa243e6c7cbb94f64602a2596a8be8434de681a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
394KB

MD5
fb9187c149528468a82c95ce22cdcc89

SHA1
1b119e90d3c281357fcaa57a48ae62498b423a45

SHA256
6ea1b7fc2afd69e401cf82a20c32a800a18bcfd16f29926d6660df7c271fdff4

SHA512
a89f27c6510046aa3dc88b2a0268077a060c7bf04cac0e49c6666144d8d861067ff33bd5142896a9fd8ec5669271db7c9e78db91b4eb123b73edc184a6cc50be

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
memory/1712-16-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1712-36-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1712-72-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1712-66-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1712-55-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1712-45-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1712-35-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3024-53-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3024-54-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3220-76-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3708-2-0x00000000022C0000-0x000000000232F000-memory.dmp

Filesize
444KB

Download
memory/3708-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3708-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/3708-17-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/3708-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3708-19-0x00000000022C0000-0x000000000232F000-memory.dmp

Filesize
444KB

Download