amadey | 0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694

Analysis

max time kernel
146s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe
Size

516KB
MD5

3fce002625684b7bd4e5a79322083233
SHA1

7b92cc8308140e9b41d73397a4f3a3ff31f28cfd
SHA256

0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694
SHA512

7e26464bc69f825d6269dc471a15b833d4d2b872321ce9024e417de4deafd2f0482be85b0939c1f59abeb86f8fbcf8b8500b867fcc92e494ab9bb602702b7e6e
SSDEEP

6144:vwLYZBhLYdKZuBNdjnU39uHYib2W8lmRCok8Z/aYQbiTngdQhKQe6:I8ZBNYUAj+8HVTSnH8ZyYA4

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe

Executes dropped EXE 3 IoCs

pid	Process
4336	Dctooux.exe
2700	Dctooux.exe
608	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
2544	1476	WerFault.exe	80
4604	1476	WerFault.exe	80
2352	1476	WerFault.exe	80
3492	1476	WerFault.exe	80
4964	1476	WerFault.exe	80
4140	1476	WerFault.exe	80
2408	1476	WerFault.exe	80
3156	1476	WerFault.exe	80
2440	1476	WerFault.exe	80
1992	1476	WerFault.exe	80
3924	4336	WerFault.exe	106
3060	4336	WerFault.exe	106
4728	4336	WerFault.exe	106
1920	4336	WerFault.exe	106
2504	4336	WerFault.exe	106
4852	4336	WerFault.exe	106
3296	4336	WerFault.exe	106
1404	4336	WerFault.exe	106
1412	4336	WerFault.exe	106
4308	4336	WerFault.exe	106
392	4336	WerFault.exe	106
4016	4336	WerFault.exe	106
3980	4336	WerFault.exe	106
688	4336	WerFault.exe	106
2620	4336	WerFault.exe	106
2636	4336	WerFault.exe	106
2336	4336	WerFault.exe	106
1992	2700	WerFault.exe	146
1412	608	WerFault.exe	149
5036	4336	WerFault.exe	106
3568	4336	WerFault.exe	106

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1476	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4336	1476	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe	106
PID 1476 wrote to memory of 4336	1476	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe	106
PID 1476 wrote to memory of 4336	1476	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe	106

C:\Users\Admin\AppData\Local\Temp\0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe
"C:\Users\Admin\AppData\Local\Temp\0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 744
  2⤵
  - Program crash
  PID:2544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 784
  2⤵
  - Program crash
  PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 880
  2⤵
  - Program crash
  PID:2352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 912
  2⤵
  - Program crash
  PID:3492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 952
  2⤵
  - Program crash
  PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 932
  2⤵
  - Program crash
  PID:4140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1132
  2⤵
  - Program crash
  PID:2408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1244
  2⤵
  - Program crash
  PID:3156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1264
  2⤵
  - Program crash
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 568
    3⤵
    - Program crash
    PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 608
    3⤵
    - Program crash
    PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 584
    3⤵
    - Program crash
    PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 652
    3⤵
    - Program crash
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 660
    3⤵
    - Program crash
    PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 716
    3⤵
    - Program crash
    PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 876
    3⤵
    - Program crash
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 928
    3⤵
    - Program crash
    PID:1404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 948
    3⤵
    - Program crash
    PID:1412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 968
    3⤵
    - Program crash
    PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 976
    3⤵
    - Program crash
    PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1020
    3⤵
    - Program crash
    PID:4016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1028
    3⤵
    - Program crash
    PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1416
    3⤵
    - Program crash
    PID:688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1460
    3⤵
    - Program crash
    PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1468
    3⤵
    - Program crash
    PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1372
    3⤵
    - Program crash
    PID:2336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1528
    3⤵
    - Program crash
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 932
    3⤵
    - Program crash
    PID:3568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 808
  2⤵
  - Program crash
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1476 -ip 1476
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1476 -ip 1476
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1476 -ip 1476
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1476 -ip 1476
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1476 -ip 1476
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1476 -ip 1476
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1476 -ip 1476
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1476 -ip 1476
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1476 -ip 1476
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1476 -ip 1476
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4336 -ip 4336
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4336 -ip 4336
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4336 -ip 4336
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4336 -ip 4336
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4336 -ip 4336
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4336 -ip 4336
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4336 -ip 4336
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4336 -ip 4336
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4336 -ip 4336
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4336 -ip 4336
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4336 -ip 4336
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4336 -ip 4336
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4336 -ip 4336
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4336 -ip 4336
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4336 -ip 4336
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4336 -ip 4336
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4336 -ip 4336
1⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 184
  2⤵
  - Program crash
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2700 -ip 2700
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 440
  2⤵
  - Program crash
  PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 608 -ip 608
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4336 -ip 4336
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4336 -ip 4336
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\447855248390

Filesize
75KB

MD5
5a26d40a53c8aebbc0237ed74c547fb2

SHA1
9b36db594e60aa3d2bcda88c0e35d3849be4773c

SHA256
f8606dc63e4d5e19690c1d88f8c135527b41b56f34d66adce713eaedc4364638

SHA512
29a81a557dc5a396c393945aa60b37e10f6e2ad231b7326514b3e52dbea9b9efc2279fc39fcfb986eddddde2297252d27d6920c07ebc38124fc013e35cb76489

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
516KB

MD5
3fce002625684b7bd4e5a79322083233

SHA1
7b92cc8308140e9b41d73397a4f3a3ff31f28cfd

SHA256
0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694

SHA512
7e26464bc69f825d6269dc471a15b833d4d2b872321ce9024e417de4deafd2f0482be85b0939c1f59abeb86f8fbcf8b8500b867fcc92e494ab9bb602702b7e6e

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
153B

MD5
d47b646093dd84d34885a714ce4bd74e

SHA1
c4df23671b6440e29159093dc52cb8c4aa184597

SHA256
6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352

SHA512
906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

Download Submit
memory/608-68-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/1476-2-0x0000000003870000-0x00000000038DF000-memory.dmp

Filesize
444KB

Download
memory/1476-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1476-18-0x0000000003870000-0x00000000038DF000-memory.dmp

Filesize
444KB

Download
memory/1476-17-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/1476-1-0x0000000001D80000-0x0000000001E80000-memory.dmp

Filesize
1024KB

Download
memory/1476-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2700-39-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-36-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-28-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-48-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-54-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-67-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-16-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/4336-74-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download