amadey | 5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09-06-2024 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe
Size

491KB
MD5

13b2bc3048a18cdd25de8e3449db2d5c
SHA1

875751b8aa356540e60b2ce80b9ccae2b84523e4
SHA256

5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f
SHA512

db7ab32acde9409838c517ede93026a65df572ad46455284a703a7b6524c16a5b2473b9c0f0e41323f757d98df16b393cb6f6d86edcda02b0c1ff022c1ae8fdf
SSDEEP

6144:ZQmLJe2lRMI3SLuyvO81jbQRViKT+UePVBnODIJm+8/aGAAzUCeiEU+SSSSSSSxC:emdTzCL1vBjkViKT+U6FOcJ5uoCeqVK

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
784	Dctooux.exe
2376	Dctooux.exe
4448	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
2040	4532	WerFault.exe	75
132	4532	WerFault.exe	75
2068	4532	WerFault.exe	75
1744	4532	WerFault.exe	75
4616	4532	WerFault.exe	75
4316	4532	WerFault.exe	75
1240	4532	WerFault.exe	75
2568	4532	WerFault.exe	75
2880	4532	WerFault.exe	75
3012	4532	WerFault.exe	75
4804	784	WerFault.exe	95
3436	784	WerFault.exe	95
3988	784	WerFault.exe	95
4568	784	WerFault.exe	95
560	784	WerFault.exe	95
2188	784	WerFault.exe	95
1452	784	WerFault.exe	95
924	784	WerFault.exe	95
1828	784	WerFault.exe	95
3972	784	WerFault.exe	95
3768	784	WerFault.exe	95
4844	784	WerFault.exe	95
3612	784	WerFault.exe	95
1984	784	WerFault.exe	95
3516	784	WerFault.exe	95
4960	784	WerFault.exe	95
4764	2376	WerFault.exe	130
4860	4448	WerFault.exe	133
1708	784	WerFault.exe	95

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4532	5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 784	4532	5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe	95
PID 4532 wrote to memory of 784	4532	5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe	95
PID 4532 wrote to memory of 784	4532	5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe	95

C:\Users\Admin\AppData\Local\Temp\5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe
"C:\Users\Admin\AppData\Local\Temp\5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 776
  2⤵
  - Program crash
  PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 824
  2⤵
  - Program crash
  PID:132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 804
  2⤵
  - Program crash
  PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 944
  2⤵
  - Program crash
  PID:1744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 960
  2⤵
  - Program crash
  PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 964
  2⤵
  - Program crash
  PID:4316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 928
  2⤵
  - Program crash
  PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1060
  2⤵
  - Program crash
  PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1132
  2⤵
  - Program crash
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 584
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 592
    3⤵
    - Program crash
    PID:3436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 620
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 608
    3⤵
    - Program crash
    PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 756
    3⤵
    - Program crash
    PID:560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 896
    3⤵
    - Program crash
    PID:2188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 932
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 896
    3⤵
    - Program crash
    PID:924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 752
    3⤵
    - Program crash
    PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 968
    3⤵
    - Program crash
    PID:3972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1072
    3⤵
    - Program crash
    PID:3768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1224
    3⤵
    - Program crash
    PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1448
    3⤵
    - Program crash
    PID:3612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1392
    3⤵
    - Program crash
    PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1504
    3⤵
    - Program crash
    PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1452
    3⤵
    - Program crash
    PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 900
    3⤵
    - Program crash
    PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1284
  2⤵
  - Program crash
  PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4532 -ip 4532
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4532 -ip 4532
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4532 -ip 4532
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4532 -ip 4532
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4532 -ip 4532
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4532 -ip 4532
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4532 -ip 4532
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4532 -ip 4532
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4532 -ip 4532
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4532 -ip 4532
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 784 -ip 784
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 784 -ip 784
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 784 -ip 784
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 784 -ip 784
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 784 -ip 784
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 784 -ip 784
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 784 -ip 784
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 784 -ip 784
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 784 -ip 784
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 784 -ip 784
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 784 -ip 784
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 784 -ip 784
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 784 -ip 784
1⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 472
  2⤵
  - Program crash
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2376 -ip 2376
1⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 480
  2⤵
  - Program crash
  PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4448 -ip 4448
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\696768468217

Filesize
74KB

MD5
c99055904c091a1ba686383a090e0849

SHA1
660c493a113936cb065eb77d6f4282bcba9eef57

SHA256
348574bfba330885f51e2305e7434299bb22ca443cd84c6890e82a6791af3001

SHA512
7681ebc44c21069bea5e15ab916d73bea463d99af24d87c4f3f4c20ff8bcc1c84d6fe7062f90f3370d9db0523662cfe522f45eb3a0af1f00b3ecea9018310dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
491KB

MD5
13b2bc3048a18cdd25de8e3449db2d5c

SHA1
875751b8aa356540e60b2ce80b9ccae2b84523e4

SHA256
5fef337b6a0d347e4ba1d05ae695c4af0ebd6bdf22ba85c544fc839473ed350f

SHA512
db7ab32acde9409838c517ede93026a65df572ad46455284a703a7b6524c16a5b2473b9c0f0e41323f757d98df16b393cb6f6d86edcda02b0c1ff022c1ae8fdf

Download Submit
memory/784-16-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/784-17-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/784-36-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/2376-42-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/4448-51-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/4532-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4532-2-0x0000000003550000-0x00000000035BB000-memory.dmp

Filesize
428KB

Download
memory/4532-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4532-19-0x0000000003550000-0x00000000035BB000-memory.dmp

Filesize
428KB

Download
memory/4532-18-0x0000000000400000-0x0000000001825000-memory.dmp

Filesize
20.1MB

Download
memory/4532-1-0x00000000018E0000-0x00000000019E0000-memory.dmp

Filesize
1024KB

Download