amadey | 244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe
Size

512KB
MD5

7be1c71c0bae58fdd6ba317589aeecd1
SHA1

85dfc21272447f19934289b251c602d31acab1ad
SHA256

244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb
SHA512

370133b84a8a144931b9f2d1674cb6ef67235506700408ee40356a34b572937dfc10ec545a33725dd8a5c6fb07de4af63b0dc3cce7f004d3c7b9cf4e4a260d6e
SSDEEP

6144:dzLWTWb0M4lrjDfHuuzPg5m5UmCN2Ve47dhs98WaNGPitgst6DsOFJeI:ZKTC0MgbHlgE5ON2A48haNGKtf6lF

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	Dctooux.exe
4032	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
3392	4180	WerFault.exe	87
4632	4180	WerFault.exe	87
4396	4180	WerFault.exe	87
5108	4180	WerFault.exe	87
2332	4180	WerFault.exe	87
5048	4180	WerFault.exe	87
3112	4180	WerFault.exe	87
4888	4180	WerFault.exe	87
2872	4180	WerFault.exe	87
2748	4180	WerFault.exe	87
1884	4180	WerFault.exe	87
2868	3160	WerFault.exe	110
3448	4032	WerFault.exe	118
4384	4032	WerFault.exe	118
672	4032	WerFault.exe	118
1888	4032	WerFault.exe	118
1324	4032	WerFault.exe	118
1020	4032	WerFault.exe	118
1416	4032	WerFault.exe	118
2216	4032	WerFault.exe	118
2500	4032	WerFault.exe	118
2552	4032	WerFault.exe	118
4928	4032	WerFault.exe	118
868	4032	WerFault.exe	118
2400	4032	WerFault.exe	118
3892	4032	WerFault.exe	118
2288	4032	WerFault.exe	118
1484	4032	WerFault.exe	118
3388	4032	WerFault.exe	118
2552	4032	WerFault.exe	118
2076	4032	WerFault.exe	118

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4180	244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 3160	4180	244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe	110
PID 4180 wrote to memory of 3160	4180	244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe	110
PID 4180 wrote to memory of 3160	4180	244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe	110

C:\Users\Admin\AppData\Local\Temp\244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe
"C:\Users\Admin\AppData\Local\Temp\244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 756
  2⤵
  - Program crash
  PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 756
  2⤵
  - Program crash
  PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 828
  2⤵
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 912
  2⤵
  - Program crash
  PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 928
  2⤵
  - Program crash
  PID:2332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 832
  2⤵
  - Program crash
  PID:5048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1140
  2⤵
  - Program crash
  PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1200
  2⤵
  - Program crash
  PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1156
  2⤵
  - Program crash
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 480
    3⤵
    - Program crash
    PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 872
  2⤵
  - Program crash
  PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 760
  2⤵
  - Program crash
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4180 -ip 4180
1⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4180 -ip 4180
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4180 -ip 4180
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4180 -ip 4180
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4180 -ip 4180
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4180 -ip 4180
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4180 -ip 4180
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4180 -ip 4180
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4180 -ip 4180
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4180 -ip 4180
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4180 -ip 4180
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3160 -ip 3160
1⤵
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3960,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 532
  2⤵
  - Program crash
  PID:3448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 572
  2⤵
  - Program crash
  PID:4384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 592
  2⤵
  - Program crash
  PID:672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 568
  2⤵
  - Program crash
  PID:1888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 676
  2⤵
  - Program crash
  PID:1324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 692
  2⤵
  - Program crash
  PID:1020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 816
  2⤵
  - Program crash
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 844
  2⤵
  - Program crash
  PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 864
  2⤵
  - Program crash
  PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 732
  2⤵
  - Program crash
  PID:2552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 920
  2⤵
  - Program crash
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 992
  2⤵
  - Program crash
  PID:868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1148
  2⤵
  - Program crash
  PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1384
  2⤵
  - Program crash
  PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1372
  2⤵
  - Program crash
  PID:2288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1448
  2⤵
  - Program crash
  PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1416
  2⤵
  - Program crash
  PID:3388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1516
  2⤵
  - Program crash
  PID:2552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 820
  2⤵
  - Program crash
  PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4032 -ip 4032
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4032 -ip 4032
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4032 -ip 4032
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4032 -ip 4032
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4032 -ip 4032
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4032 -ip 4032
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4032 -ip 4032
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4032 -ip 4032
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4032 -ip 4032
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4032 -ip 4032
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4032 -ip 4032
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4032 -ip 4032
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4032 -ip 4032
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4032 -ip 4032
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4032 -ip 4032
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4032 -ip 4032
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4032 -ip 4032
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4032 -ip 4032
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4032 -ip 4032
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\665033694144

Filesize
79KB

MD5
f24587f23c9cffb90747faa2511503f3

SHA1
f093038b30f9c444dbd46f44ccc1b4a804c108db

SHA256
e2ea09ae7fda1931383e5352727e67c0022b6d23603d8560b8e0d7c22442cab8

SHA512
b6ffbebe1a5d820e26546515e5cef379b0d554bf4819018797735f99dfe1543e4b48253391c1f25ed97102acd4f0c85623188f26614197be1cbeb49b4bffe405

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
512KB

MD5
7be1c71c0bae58fdd6ba317589aeecd1

SHA1
85dfc21272447f19934289b251c602d31acab1ad

SHA256
244e9b1b690910814a340721b2ae9b6d10104a358de11b6bf41a674b009dacfb

SHA512
370133b84a8a144931b9f2d1674cb6ef67235506700408ee40356a34b572937dfc10ec545a33725dd8a5c6fb07de4af63b0dc3cce7f004d3c7b9cf4e4a260d6e

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
memory/3160-16-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/3160-21-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4032-49-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4032-39-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4032-40-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4032-55-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4032-66-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4032-72-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4180-18-0x0000000003890000-0x00000000038FF000-memory.dmp

Filesize
444KB

Download
memory/4180-17-0x0000000000400000-0x0000000001BFB000-memory.dmp

Filesize
24.0MB

Download
memory/4180-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4180-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4180-2-0x0000000003890000-0x00000000038FF000-memory.dmp

Filesize
444KB

Download
memory/4180-1-0x0000000001C60000-0x0000000001D60000-memory.dmp

Filesize
1024KB

Download