amadey | d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe
Size

471KB
MD5

702c3e584eb175daab542486b862a7c7
SHA1

f9d3e7d881b219bc3d615a2057063ff21b1083e1
SHA256

d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf
SHA512

59816e3e62efe9ca2c7a339e57d73966a963b8e6896b5a158e877a6f68af2663aa6056690e267ae56dad8922d56ec03d1bc1550a794e58c847b33e53565e53da
SSDEEP

6144:coLzj4r+qYRH/gICtm68+NuvSjcXsuTuee6q5lsX6ZZpl8T8s/v/lZnxj4S8:Rr4r5Eao6jCTuH6q5Q6bpaTtvtZnuP

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe

Executes dropped EXE 3 IoCs

pid	Process
2544	Dctooux.exe
1192	Dctooux.exe
2168	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4300	2968	WerFault.exe	80
3720	2968	WerFault.exe	80
1528	2968	WerFault.exe	80
3496	2968	WerFault.exe	80
2796	2968	WerFault.exe	80
2964	2968	WerFault.exe	80
2528	2968	WerFault.exe	80
4016	2968	WerFault.exe	80
844	2968	WerFault.exe	80
4504	2968	WerFault.exe	80
3652	2544	WerFault.exe	104
2008	2544	WerFault.exe	104
3596	2544	WerFault.exe	104
1668	2544	WerFault.exe	104
1016	2544	WerFault.exe	104
2520	2544	WerFault.exe	104
4536	2544	WerFault.exe	104
2248	2544	WerFault.exe	104
1576	2544	WerFault.exe	104
2152	2544	WerFault.exe	104
4436	2544	WerFault.exe	104
3752	2544	WerFault.exe	104
4060	2544	WerFault.exe	104
4300	2544	WerFault.exe	104
2436	2544	WerFault.exe	104
4620	2544	WerFault.exe	104
4304	1192	WerFault.exe	147
1988	2544	WerFault.exe	104
4716	2168	WerFault.exe	152
4276	2544	WerFault.exe	104

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2544	2968	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe	104
PID 2968 wrote to memory of 2544	2968	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe	104
PID 2968 wrote to memory of 2544	2968	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe	104

C:\Users\Admin\AppData\Local\Temp\d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe
"C:\Users\Admin\AppData\Local\Temp\d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 756
  2⤵
  - Program crash
  PID:4300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 796
  2⤵
  - Program crash
  PID:3720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 856
  2⤵
  - Program crash
  PID:1528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 924
  2⤵
  - Program crash
  PID:3496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 932
  2⤵
  - Program crash
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 964
  2⤵
  - Program crash
  PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1132
  2⤵
  - Program crash
  PID:2528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1240
  2⤵
  - Program crash
  PID:4016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1288
  2⤵
  - Program crash
  PID:844
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:2544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 560
    3⤵
    - Program crash
    PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 568
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 580
    3⤵
    - Program crash
    PID:3596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 656
    3⤵
    - Program crash
    PID:1668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 688
    3⤵
    - Program crash
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 796
    3⤵
    - Program crash
    PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 860
    3⤵
    - Program crash
    PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 888
    3⤵
    - Program crash
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 848
    3⤵
    - Program crash
    PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 952
    3⤵
    - Program crash
    PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 964
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 968
    3⤵
    - Program crash
    PID:3752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1032
    3⤵
    - Program crash
    PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1408
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1388
    3⤵
    - Program crash
    PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1460
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 700
    3⤵
    - Program crash
    PID:1988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 864
    3⤵
    - Program crash
    PID:4276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 864
  2⤵
  - Program crash
  PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2968 -ip 2968
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2968 -ip 2968
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2968 -ip 2968
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2968 -ip 2968
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2968 -ip 2968
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2968 -ip 2968
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2968 -ip 2968
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2968 -ip 2968
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2968 -ip 2968
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2968 -ip 2968
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2544 -ip 2544
1⤵
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2544 -ip 2544
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2544 -ip 2544
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2544 -ip 2544
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2544 -ip 2544
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2544 -ip 2544
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2544 -ip 2544
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2544 -ip 2544
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2544 -ip 2544
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2544 -ip 2544
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2544 -ip 2544
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2544 -ip 2544
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2544 -ip 2544
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2544 -ip 2544
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2544 -ip 2544
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2544 -ip 2544
1⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 448
  2⤵
  - Program crash
  PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1192 -ip 1192
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2544 -ip 2544
1⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 448
  2⤵
  - Program crash
  PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2168 -ip 2168
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2544 -ip 2544
1⤵
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\018855536220

Filesize
76KB

MD5
e842f03fd7b5a4d00648ad36d07f625b

SHA1
4063c6593b7e055c4dd022e30f210547ed9a9c0d

SHA256
1e55952c7bb46142dd90a56c80db258c20ce5c547bc80d2964538e834cac826a

SHA512
d019337a41120ffa5ec7fe14462940c76ab227892d94150ed182202fd84cd4f6f515e6d0c249c2c46bb2b1b688a57756b09da141d700839450ef9cee749ea59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
471KB

MD5
702c3e584eb175daab542486b862a7c7

SHA1
f9d3e7d881b219bc3d615a2057063ff21b1083e1

SHA256
d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf

SHA512
59816e3e62efe9ca2c7a339e57d73966a963b8e6896b5a158e877a6f68af2663aa6056690e267ae56dad8922d56ec03d1bc1550a794e58c847b33e53565e53da

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
memory/1192-50-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2168-76-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-19-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-37-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-38-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-47-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-56-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-67-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2544-73-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2968-20-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2968-21-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2968-1-0x0000000001E80000-0x0000000001F80000-memory.dmp

Filesize
1024KB

Download
memory/2968-2-0x0000000003820000-0x000000000388F000-memory.dmp

Filesize
444KB

Download
memory/2968-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download