Overview

overview

10

Static

static

3

a6008984e9...7d.exe

windows7-x64

10

a6008984e9...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6008984e97e2336a4a267cd3c5cce17a67468c783f8ea9134081a260a02007d.exe

  • Size

    489KB

  • MD5

    640b35e62443a62ba15beba6aa317500

  • SHA1

    09bac93ca0e9e16cc840d22e45a7f14f54a0745c

  • SHA256

    a6008984e97e2336a4a267cd3c5cce17a67468c783f8ea9134081a260a02007d

  • SHA512

    0046cbe3974aa855c4746270873bb5976727f325606538f15e82c30f3a4225894840b8c2a853267780d99ecd83c5ee56120adae4d079f7683d9481a29bd6b10a

  • SSDEEP

    6144:Oc0LIpbZrTSoNGAtGMbJ/Po13iKoBcymNzUEpKRzCnuzZs9rxzkETgY4Tavc:r0spbZrTJGMdkRoBjVZCnuzZs9rZTgN

Score
10/10
amadey9a3efctrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

C2

http://check-ftp.ru

Attributes
  • install_dir

    b9695770f1

  • install_file

    Dctooux.exe

  • strings_key

    1d3a0f2941c4060dba7f23a378474944

  • url_paths

    /forum/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6008984e97e2336a4a267cd3c5cce17a67468c783f8ea9134081a260a02007d.exe
    "C:\Users\Admin\AppData\Local\Temp\a6008984e97e2336a4a267cd3c5cce17a67468c783f8ea9134081a260a02007d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
      "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
      2⤵
      • Executes dropped EXE
      PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\309405411416
    Filesize

    72KB

    MD5

    45c5d95eea149c8491e9d1fd9b8594db

    SHA1

    f3ba7d5fc5920c49405589ab9f7ff34752188d45

    SHA256

    e53ec32c5a65f17aa2dbfcd26bef3f6a72da9d060a2dcfa4daaf3ed868ea5154

    SHA512

    4436a2a318b3e4e506f609aea67aad7f6026f9434b853350ee41cf3577ed16d70b50f4e3199e6e23f3c685547845db566025ead3fb95399fa2ccb697ed629d53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
    Filesize

    489KB

    MD5

    640b35e62443a62ba15beba6aa317500

    SHA1

    09bac93ca0e9e16cc840d22e45a7f14f54a0745c

    SHA256

    a6008984e97e2336a4a267cd3c5cce17a67468c783f8ea9134081a260a02007d

    SHA512

    0046cbe3974aa855c4746270873bb5976727f325606538f15e82c30f3a4225894840b8c2a853267780d99ecd83c5ee56120adae4d079f7683d9481a29bd6b10a

    Download Submit

  • memory/1640-1-0x00000000019F0000-0x0000000001AF0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1640-2-0x0000000000220000-0x000000000028B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1640-3-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1640-18-0x0000000000220000-0x000000000028B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1640-19-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1640-20-0x0000000000400000-0x0000000001825000-memory.dmp

    Filesize

    20.1MB

    Download

  • memory/1640-16-0x0000000000400000-0x0000000001825000-memory.dmp

    Filesize

    20.1MB

    Download

  • memory/1640-17-0x00000000019F0000-0x0000000001AF0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1640-40-0x0000000000400000-0x0000000001825000-memory.dmp

    Filesize

    20.1MB

    Download

  • memory/2836-38-0x0000000000400000-0x0000000001825000-memory.dmp

    Filesize

    20.1MB

    Download