amadey | d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf

Analysis

max time kernel
145s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe
Size

471KB
MD5

702c3e584eb175daab542486b862a7c7
SHA1

f9d3e7d881b219bc3d615a2057063ff21b1083e1
SHA256

d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf
SHA512

59816e3e62efe9ca2c7a339e57d73966a963b8e6896b5a158e877a6f68af2663aa6056690e267ae56dad8922d56ec03d1bc1550a794e58c847b33e53565e53da
SSDEEP

6144:coLzj4r+qYRH/gICtm68+NuvSjcXsuTuee6q5lsX6ZZpl8T8s/v/lZnxj4S8:Rr4r5Eao6jCTuH6q5Q6bpaTtvtZnuP

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1556	Dctooux.exe
1404	Dctooux.exe
4256	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
4328	1568	WerFault.exe	79
1872	1568	WerFault.exe	79
3476	1568	WerFault.exe	79
4588	1568	WerFault.exe	79
3572	1568	WerFault.exe	79
3920	1568	WerFault.exe	79
4456	1568	WerFault.exe	79
3060	1568	WerFault.exe	79
3408	1568	WerFault.exe	79
1120	1568	WerFault.exe	79
2524	1556	WerFault.exe	101
3732	1556	WerFault.exe	101
1248	1556	WerFault.exe	101
4580	1556	WerFault.exe	101
3268	1556	WerFault.exe	101
4260	1556	WerFault.exe	101
2128	1556	WerFault.exe	101
3224	1556	WerFault.exe	101
5028	1556	WerFault.exe	101
2256	1556	WerFault.exe	101
3740	1556	WerFault.exe	101
2368	1556	WerFault.exe	101
536	1556	WerFault.exe	101
4984	1556	WerFault.exe	101
3520	1556	WerFault.exe	101
3368	1556	WerFault.exe	101
1872	1556	WerFault.exe	101
3460	1404	WerFault.exe	138
2452	1556	WerFault.exe	101
4600	4256	WerFault.exe	143
424	1556	WerFault.exe	101

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1568	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1556	1568	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe	101
PID 1568 wrote to memory of 1556	1568	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe	101
PID 1568 wrote to memory of 1556	1568	d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe	101

C:\Users\Admin\AppData\Local\Temp\d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe
"C:\Users\Admin\AppData\Local\Temp\d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 772
  2⤵
  - Program crash
  PID:4328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 820
  2⤵
  - Program crash
  PID:1872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 840
  2⤵
  - Program crash
  PID:3476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 948
  2⤵
  - Program crash
  PID:4588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 952
  2⤵
  - Program crash
  PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 968
  2⤵
  - Program crash
  PID:3920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1016
  2⤵
  - Program crash
  PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1080
  2⤵
  - Program crash
  PID:3060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1132
  2⤵
  - Program crash
  PID:3408
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 588
    3⤵
    - Program crash
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 596
    3⤵
    - Program crash
    PID:3732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 656
    3⤵
    - Program crash
    PID:1248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 696
    3⤵
    - Program crash
    PID:4580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 728
    3⤵
    - Program crash
    PID:3268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 684
    3⤵
    - Program crash
    PID:4260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 900
    3⤵
    - Program crash
    PID:2128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 712
    3⤵
    - Program crash
    PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 952
    3⤵
    - Program crash
    PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 968
    3⤵
    - Program crash
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 912
    3⤵
    - Program crash
    PID:3740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1068
    3⤵
    - Program crash
    PID:2368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1208
    3⤵
    - Program crash
    PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1452
    3⤵
    - Program crash
    PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1580
    3⤵
    - Program crash
    PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1460
    3⤵
    - Program crash
    PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1472
    3⤵
    - Program crash
    PID:1872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1720
    3⤵
    - Program crash
    PID:2452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 904
    3⤵
    - Program crash
    PID:424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1284
  2⤵
  - Program crash
  PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1568 -ip 1568
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1568 -ip 1568
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1568 -ip 1568
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1568 -ip 1568
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1568 -ip 1568
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1568 -ip 1568
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1568 -ip 1568
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1568 -ip 1568
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1568 -ip 1568
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1568 -ip 1568
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1556 -ip 1556
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1556 -ip 1556
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1556 -ip 1556
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1556 -ip 1556
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1556 -ip 1556
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1556 -ip 1556
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1556 -ip 1556
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1556 -ip 1556
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1556 -ip 1556
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1556 -ip 1556
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1556 -ip 1556
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1556 -ip 1556
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1556 -ip 1556
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1556 -ip 1556
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1556 -ip 1556
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1556 -ip 1556
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1556 -ip 1556
1⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 472
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1404 -ip 1404
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1556 -ip 1556
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 468
  2⤵
  - Program crash
  PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4256 -ip 4256
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1556 -ip 1556
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\107365284157

Filesize
73KB

MD5
27f2d857216733b8da19ced960ce38c3

SHA1
b125921e38ed1e389b8e4a265adbe96ea43f2cd4

SHA256
04ff2ac3d4d092180827394e03e32dc6528fbc37063d13e6aae73c969dafed52

SHA512
60e2f1bde90168e301bc3c9bcc65f623e60a1b45843dde0f07f828f5d14f0833a10ad84f90dc444d5e71ebcd88142cef8d343dd28a9eda3858040d28d078513a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
471KB

MD5
702c3e584eb175daab542486b862a7c7

SHA1
f9d3e7d881b219bc3d615a2057063ff21b1083e1

SHA256
d7eaf3d712f61b1557239d39da6d32327c6ed09ba5af2b81ff8ce737e68e21bf

SHA512
59816e3e62efe9ca2c7a339e57d73966a963b8e6896b5a158e877a6f68af2663aa6056690e267ae56dad8922d56ec03d1bc1550a794e58c847b33e53565e53da

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
memory/1404-51-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-19-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-50-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-76-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-68-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-57-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-38-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1556-39-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1568-1-0x0000000001CF0000-0x0000000001DF0000-memory.dmp

Filesize
1024KB

Download
memory/1568-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1568-2-0x0000000003900000-0x000000000396F000-memory.dmp

Filesize
444KB

Download
memory/1568-22-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1568-20-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1568-21-0x0000000003900000-0x000000000396F000-memory.dmp

Filesize
444KB

Download
memory/4256-77-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download