amadey | 7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11/06/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe
Size

434KB
MD5

decd86a4d673c564f720459c499ce426
SHA1

83b4f8d30a5e4df69044726cdf9d68d55aebcbcf
SHA256

7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4
SHA512

33ba92ed0232215fad1c9e511fa643867f59a993d5004e73c0cab61c0ef475df14c2e54903c4789f3189d29a67f75e9cc105705286e77518aabb5c2fbb373b95
SSDEEP

6144:AmFgBR2qyWkqYQKr6wWORcbIaMkk5AYXvy7mcnTVaahJVOrT:AmFiKrrWrMkfYqKcnTVaahJVO/

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
3820	Dctooux.exe
4384	Dctooux.exe
4576	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3604	3924	WerFault.exe	76
400	3924	WerFault.exe	76
2364	3924	WerFault.exe	76
972	3924	WerFault.exe	76
3364	3924	WerFault.exe	76
4712	3924	WerFault.exe	76
5104	3924	WerFault.exe	76
416	3924	WerFault.exe	76
3760	3924	WerFault.exe	76
1572	3924	WerFault.exe	76
984	3820	WerFault.exe	96
2628	3820	WerFault.exe	96
2152	3820	WerFault.exe	96
4744	3820	WerFault.exe	96
3948	3820	WerFault.exe	96
3704	3820	WerFault.exe	96
2968	3820	WerFault.exe	96
3224	3820	WerFault.exe	96
2344	3820	WerFault.exe	96
4580	3820	WerFault.exe	96
5092	3820	WerFault.exe	96
4060	3820	WerFault.exe	96
5028	3820	WerFault.exe	96
1632	3820	WerFault.exe	96
3668	3820	WerFault.exe	96
3996	3820	WerFault.exe	96
3680	3820	WerFault.exe	96
3232	4384	WerFault.exe	133
1104	4576	WerFault.exe	136
2032	3820	WerFault.exe	96

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3924	7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3820	3924	7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe	96
PID 3924 wrote to memory of 3820	3924	7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe	96
PID 3924 wrote to memory of 3820	3924	7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe	96

C:\Users\Admin\AppData\Local\Temp\7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe
"C:\Users\Admin\AppData\Local\Temp\7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 776
  2⤵
  - Program crash
  PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 792
  2⤵
  - Program crash
  PID:400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 876
  2⤵
  - Program crash
  PID:2364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 924
  2⤵
  - Program crash
  PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 928
  2⤵
  - Program crash
  PID:3364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 976
  2⤵
  - Program crash
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1012
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1012
  2⤵
  - Program crash
  PID:416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1080
  2⤵
  - Program crash
  PID:3760
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:3820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 584
    3⤵
    - Program crash
    PID:984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 604
    3⤵
    - Program crash
    PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 624
    3⤵
    - Program crash
    PID:2152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 652
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 620
    3⤵
    - Program crash
    PID:3948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 896
    3⤵
    - Program crash
    PID:3704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 924
    3⤵
    - Program crash
    PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 724
    3⤵
    - Program crash
    PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 928
    3⤵
    - Program crash
    PID:2344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 948
    3⤵
    - Program crash
    PID:4580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1048
    3⤵
    - Program crash
    PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1056
    3⤵
    - Program crash
    PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1180
    3⤵
    - Program crash
    PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1324
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1348
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1528
    3⤵
    - Program crash
    PID:3996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1544
    3⤵
    - Program crash
    PID:3680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 900
    3⤵
    - Program crash
    PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 884
  2⤵
  - Program crash
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3924 -ip 3924
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3924 -ip 3924
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3924 -ip 3924
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3924 -ip 3924
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3924 -ip 3924
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3924 -ip 3924
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3924 -ip 3924
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3924 -ip 3924
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3924 -ip 3924
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3924 -ip 3924
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3820 -ip 3820
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3820 -ip 3820
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3820 -ip 3820
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3820 -ip 3820
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3820 -ip 3820
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3820 -ip 3820
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3820 -ip 3820
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3820 -ip 3820
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3820 -ip 3820
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3820 -ip 3820
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3820 -ip 3820
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3820 -ip 3820
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3820 -ip 3820
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3820 -ip 3820
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3820 -ip 3820
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3820 -ip 3820
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3820 -ip 3820
1⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 480
  2⤵
  - Program crash
  PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4384 -ip 4384
1⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 480
  2⤵
  - Program crash
  PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4576 -ip 4576
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3820 -ip 3820
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\672260578815

Filesize
75KB

MD5
99991761df6f2bc3f14902ad84be6241

SHA1
632202c94a5bb6ad380df7acac28f0c474493489

SHA256
4550f31850a827aec29fc3597a6cd3c723921986357e2321d3da9fcfb9f51b5d

SHA512
9bcad58c6bb34896e881f1ce897eddb3a8f560fe0ab102df164975b92b6d899194cf92f4d4455d751e190645d45d9688d0410bc5a09d058418371776317b30f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
434KB

MD5
decd86a4d673c564f720459c499ce426

SHA1
83b4f8d30a5e4df69044726cdf9d68d55aebcbcf

SHA256
7d3054d7f4be92178d35b66673daca18b9b2c534e80d92d3cf5dc47abe4e05a4

SHA512
33ba92ed0232215fad1c9e511fa643867f59a993d5004e73c0cab61c0ef475df14c2e54903c4789f3189d29a67f75e9cc105705286e77518aabb5c2fbb373b95

Download Submit
memory/3820-19-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3820-27-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3820-40-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3924-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3924-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3924-20-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3924-21-0x00000000008E0000-0x000000000094B000-memory.dmp

Filesize
428KB

Download
memory/3924-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3924-2-0x00000000008E0000-0x000000000094B000-memory.dmp

Filesize
428KB

Download
memory/4384-43-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4384-44-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4576-53-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download