amadey | 96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe
Size

471KB
MD5

dab9a5a943d99b179f515f8610ffff41
SHA1

c997b3ce7b1a20f45a727f1e37f34f3eb0875f5d
SHA256

96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f
SHA512

4c5f6db653b2ed9e9ec0c3014e1cae8a061c86be6203afdf771ad5e46673ab677d1221b7742bf9e85c65e2a596fa1e9f5d5746dd7aff86596b1264a94eb27114
SSDEEP

6144:DNLTYbdkWiL8Hg9C6G4PWyJGdDFelD/upzyGjRdybAMHafUP4JDU4:J3YbS/L8Hg9CV4PoVFe1upWGFKAp4oR

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1392	Dctooux.exe
3656	Dctooux.exe
2780	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
2400	4964	WerFault.exe	77
1684	4964	WerFault.exe	77
2744	4964	WerFault.exe	77
2420	4964	WerFault.exe	77
1616	4964	WerFault.exe	77
2756	4964	WerFault.exe	77
4948	4964	WerFault.exe	77
3196	4964	WerFault.exe	77
4956	4964	WerFault.exe	77
2064	4964	WerFault.exe	77
2496	4964	WerFault.exe	77
1364	1392	WerFault.exe	97
1452	1392	WerFault.exe	97
8	1392	WerFault.exe	97
3464	1392	WerFault.exe	97
1432	1392	WerFault.exe	97
4880	1392	WerFault.exe	97
4700	1392	WerFault.exe	97
3648	1392	WerFault.exe	97
4296	1392	WerFault.exe	97
3772	1392	WerFault.exe	97
748	1392	WerFault.exe	97
1728	1392	WerFault.exe	97
1148	1392	WerFault.exe	97
1900	1392	WerFault.exe	97
4156	1392	WerFault.exe	97
4908	1392	WerFault.exe	97
4048	1392	WerFault.exe	97
2544	3656	WerFault.exe	136
1060	2780	WerFault.exe	139
4900	1392	WerFault.exe	97
4936	1392	WerFault.exe	97

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4964	96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1392	4964	96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe	97
PID 4964 wrote to memory of 1392	4964	96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe	97
PID 4964 wrote to memory of 1392	4964	96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe	97

C:\Users\Admin\AppData\Local\Temp\96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe
"C:\Users\Admin\AppData\Local\Temp\96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 776
  2⤵
  - Program crash
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 804
  2⤵
  - Program crash
  PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 876
  2⤵
  - Program crash
  PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 940
  2⤵
  - Program crash
  PID:2420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 888
  2⤵
  - Program crash
  PID:1616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 960
  2⤵
  - Program crash
  PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1012
  2⤵
  - Program crash
  PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1012
  2⤵
  - Program crash
  PID:3196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1036
  2⤵
  - Program crash
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 584
    3⤵
    - Program crash
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 628
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 592
    3⤵
    - Program crash
    PID:8
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 680
    3⤵
    - Program crash
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 704
    3⤵
    - Program crash
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 772
    3⤵
    - Program crash
    PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 888
    3⤵
    - Program crash
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 888
    3⤵
    - Program crash
    PID:3648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 956
    3⤵
    - Program crash
    PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 796
    3⤵
    - Program crash
    PID:3772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1008
    3⤵
    - Program crash
    PID:748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1068
    3⤵
    - Program crash
    PID:1728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1232
    3⤵
    - Program crash
    PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1452
    3⤵
    - Program crash
    PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1436
    3⤵
    - Program crash
    PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1396
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1528
    3⤵
    - Program crash
    PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1584
    3⤵
    - Program crash
    PID:4900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 900
    3⤵
    - Program crash
    PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1560
  2⤵
  - Program crash
  PID:2064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 760
  2⤵
  - Program crash
  PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4964 -ip 4964
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4964 -ip 4964
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4964 -ip 4964
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4964 -ip 4964
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4964 -ip 4964
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4964 -ip 4964
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4964 -ip 4964
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4964 -ip 4964
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4964 -ip 4964
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1392 -ip 1392
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1392 -ip 1392
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1392 -ip 1392
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1392 -ip 1392
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1392 -ip 1392
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1392 -ip 1392
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1392 -ip 1392
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1392 -ip 1392
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1392 -ip 1392
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1392 -ip 1392
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1392 -ip 1392
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1392 -ip 1392
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1392 -ip 1392
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1392 -ip 1392
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1392 -ip 1392
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1392 -ip 1392
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1392 -ip 1392
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 480
  2⤵
  - Program crash
  PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3656 -ip 3656
1⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 480
  2⤵
  - Program crash
  PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2780 -ip 2780
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1392 -ip 1392
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1392 -ip 1392
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\230210488309

Filesize
79KB

MD5
f9211d4b4a90f7f590855fc8df74bf6a

SHA1
59ac676f72c89fbb9550d7e2f44d37f80ed0f309

SHA256
ed821af622999a0288223457e23372071e1249eb37568df4c9a1b9cedb30f4d8

SHA512
935d83a1051195987ed282bd22793b844f4d1ca9d878470f7f1c08a6d9aa6a0386eba206b8d320c919156e31f19068b3d4ea5cbc716765ed25a74219a7f49299

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
471KB

MD5
dab9a5a943d99b179f515f8610ffff41

SHA1
c997b3ce7b1a20f45a727f1e37f34f3eb0875f5d

SHA256
96b711e91b77fb779c6b5fdd5fc60d217d8ea83891220ebfcfd9d931dc90605f

SHA512
4c5f6db653b2ed9e9ec0c3014e1cae8a061c86be6203afdf771ad5e46673ab677d1221b7742bf9e85c65e2a596fa1e9f5d5746dd7aff86596b1264a94eb27114

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
memory/1392-79-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-19-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-20-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-70-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-59-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-53-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-36-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/1392-40-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/2780-73-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/3656-45-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/4964-1-0x0000000001EF0000-0x0000000001FF0000-memory.dmp

Filesize
1024KB

Download
memory/4964-21-0x0000000000400000-0x0000000001BF1000-memory.dmp

Filesize
23.9MB

Download
memory/4964-22-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4964-23-0x00000000039C0000-0x0000000003A2F000-memory.dmp

Filesize
444KB

Download
memory/4964-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4964-2-0x00000000039C0000-0x0000000003A2F000-memory.dmp

Filesize
444KB

Download