amadey | 71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec

Analysis

max time kernel
148s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
12/06/2024, 16:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe
Size

513KB
MD5

161a20556aff7aed5e8c157fc2340285
SHA1

4dbba29a089eaadf2fe6abafe0923b09fa49ee5a
SHA256

71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec
SHA512

8670ce979d282e06de16d208d99b5b68ff8a3bd85313a1a6d1cf61084e10df464d52f9377a178ea3b68e956832ca331dd321aecf7055daaf0763c7fd755ba2c1
SSDEEP

6144:rsLZSzeLK+9pdnGwGOubsj09MeEUNdTMVHvHNZBoxiYlg9DDsCgY9eW:gFSzKKgGkwCE1iPpelyD

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1896	Dctooux.exe
2608	Dctooux.exe
3392	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
1212	4404	WerFault.exe	76
4916	4404	WerFault.exe	76
1460	4404	WerFault.exe	76
2508	4404	WerFault.exe	76
1240	4404	WerFault.exe	76
4444	4404	WerFault.exe	76
2532	4404	WerFault.exe	76
936	4404	WerFault.exe	76
4048	4404	WerFault.exe	76
5000	4404	WerFault.exe	76
4888	1896	WerFault.exe	96
4992	1896	WerFault.exe	96
4732	1896	WerFault.exe	96
2248	1896	WerFault.exe	96
1568	1896	WerFault.exe	96
3940	1896	WerFault.exe	96
2768	1896	WerFault.exe	96
4324	1896	WerFault.exe	96
3312	1896	WerFault.exe	96
1648	1896	WerFault.exe	96
4908	1896	WerFault.exe	96
1160	1896	WerFault.exe	96
2432	1896	WerFault.exe	96
4236	1896	WerFault.exe	96
1424	1896	WerFault.exe	96
1420	1896	WerFault.exe	96
2160	1896	WerFault.exe	96
1152	2608	WerFault.exe	133
2052	3392	WerFault.exe	136
4940	1896	WerFault.exe	96

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4404	71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 1896	4404	71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe	96
PID 4404 wrote to memory of 1896	4404	71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe	96
PID 4404 wrote to memory of 1896	4404	71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe	96

C:\Users\Admin\AppData\Local\Temp\71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe
"C:\Users\Admin\AppData\Local\Temp\71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 776
  2⤵
  - Program crash
  PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 796
  2⤵
  - Program crash
  PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 876
  2⤵
  - Program crash
  PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 944
  2⤵
  - Program crash
  PID:2508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 968
  2⤵
  - Program crash
  PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 984
  2⤵
  - Program crash
  PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 936
  2⤵
  - Program crash
  PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 936
  2⤵
  - Program crash
  PID:936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1132
  2⤵
  - Program crash
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 584
    3⤵
    - Program crash
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 632
    3⤵
    - Program crash
    PID:4992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 612
    3⤵
    - Program crash
    PID:4732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 732
    3⤵
    - Program crash
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 760
    3⤵
    - Program crash
    PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 836
    3⤵
    - Program crash
    PID:3940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 836
    3⤵
    - Program crash
    PID:2768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 948
    3⤵
    - Program crash
    PID:4324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 960
    3⤵
    - Program crash
    PID:3312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 968
    3⤵
    - Program crash
    PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1012
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1068
    3⤵
    - Program crash
    PID:1160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1072
    3⤵
    - Program crash
    PID:2432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1248
    3⤵
    - Program crash
    PID:4236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1396
    3⤵
    - Program crash
    PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1504
    3⤵
    - Program crash
    PID:1420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1548
    3⤵
    - Program crash
    PID:2160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 952
    3⤵
    - Program crash
    PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1144
  2⤵
  - Program crash
  PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4404 -ip 4404
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4404 -ip 4404
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4404 -ip 4404
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4404 -ip 4404
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4404 -ip 4404
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4404 -ip 4404
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4404 -ip 4404
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4404 -ip 4404
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4404 -ip 4404
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1896 -ip 1896
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1896 -ip 1896
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1896 -ip 1896
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1896 -ip 1896
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1896 -ip 1896
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1896 -ip 1896
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1896 -ip 1896
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1896 -ip 1896
1⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1896 -ip 1896
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1896 -ip 1896
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1896 -ip 1896
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1896 -ip 1896
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1896 -ip 1896
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1896 -ip 1896
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1896 -ip 1896
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1896 -ip 1896
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1896 -ip 1896
1⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 480
  2⤵
  - Program crash
  PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2608 -ip 2608
1⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 488
  2⤵
  - Program crash
  PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 3392 -ip 3392
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1896 -ip 1896
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\672260578815

Filesize
75KB

MD5
a3941fd82b92f90a28ef2f1cebe54c37

SHA1
0634a8999a03cc74ae52b3a7fad00efefcafe937

SHA256
4f0b9fa9c5ab45b6dea4857316c56b727cfd0892d21f0b7a2b41fddfc74a2f3c

SHA512
5b3fef1da0624d77f9779d7911dbdee9dbb9b35a236260dd816551e7516b62ef5419dcd854c026d15e1b79f2dc68f7f49b72dda5c27941aec8ea54cc77b66b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
513KB

MD5
161a20556aff7aed5e8c157fc2340285

SHA1
4dbba29a089eaadf2fe6abafe0923b09fa49ee5a

SHA256
71e1afb6f88aa428c22e0c6259afb2c7ba432d030ed1b08085093397c931feec

SHA512
8670ce979d282e06de16d208d99b5b68ff8a3bd85313a1a6d1cf61084e10df464d52f9377a178ea3b68e956832ca331dd321aecf7055daaf0763c7fd755ba2c1

Download Submit
memory/1896-16-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/1896-24-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/1896-29-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/1896-37-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/2608-41-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/3392-50-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4404-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4404-2-0x0000000003910000-0x000000000397F000-memory.dmp

Filesize
444KB

Download
memory/4404-18-0x0000000003910000-0x000000000397F000-memory.dmp

Filesize
444KB

Download
memory/4404-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4404-17-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4404-1-0x0000000001E30000-0x0000000001F30000-memory.dmp

Filesize
1024KB

Download