amadey | 0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694

Analysis

max time kernel
149s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
12/06/2024, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe
Size

516KB
MD5

3fce002625684b7bd4e5a79322083233
SHA1

7b92cc8308140e9b41d73397a4f3a3ff31f28cfd
SHA256

0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694
SHA512

7e26464bc69f825d6269dc471a15b833d4d2b872321ce9024e417de4deafd2f0482be85b0939c1f59abeb86f8fbcf8b8500b867fcc92e494ab9bb602702b7e6e
SSDEEP

6144:vwLYZBhLYdKZuBNdjnU39uHYib2W8lmRCok8Z/aYQbiTngdQhKQe6:I8ZBNYUAj+8HVTSnH8ZyYA4

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
3640	Dctooux.exe
1648	Dctooux.exe
2544	Dctooux.exe
2604	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
2932	3380	WerFault.exe	75
1064	3380	WerFault.exe	75
3956	3380	WerFault.exe	75
1204	3380	WerFault.exe	75
3696	3380	WerFault.exe	75
3032	3380	WerFault.exe	75
2660	3380	WerFault.exe	75
2692	3380	WerFault.exe	75
3004	3380	WerFault.exe	75
4956	3380	WerFault.exe	75
4780	3640	WerFault.exe	95
5036	3640	WerFault.exe	95
2832	3640	WerFault.exe	95
236	3640	WerFault.exe	95
1760	3640	WerFault.exe	95
1596	3640	WerFault.exe	95
1032	3640	WerFault.exe	95
1560	3640	WerFault.exe	95
1200	3640	WerFault.exe	95
684	3640	WerFault.exe	95
5072	3640	WerFault.exe	95
3088	3640	WerFault.exe	95
4628	3640	WerFault.exe	95
4980	3640	WerFault.exe	95
2400	3640	WerFault.exe	95
1372	3640	WerFault.exe	95
2828	3640	WerFault.exe	95
1084	3640	WerFault.exe	95
2844	1648	WerFault.exe	134
3872	2544	WerFault.exe	137
1408	3640	WerFault.exe	95
3468	2604	WerFault.exe	142
4660	2604	WerFault.exe	142

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3380	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3640	3380	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe	95
PID 3380 wrote to memory of 3640	3380	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe	95
PID 3380 wrote to memory of 3640	3380	0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe	95

C:\Users\Admin\AppData\Local\Temp\0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe
"C:\Users\Admin\AppData\Local\Temp\0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 776
  2⤵
  - Program crash
  PID:2932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 824
  2⤵
  - Program crash
  PID:1064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 840
  2⤵
  - Program crash
  PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 924
  2⤵
  - Program crash
  PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 964
  2⤵
  - Program crash
  PID:3696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 964
  2⤵
  - Program crash
  PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 844
  2⤵
  - Program crash
  PID:2660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 844
  2⤵
  - Program crash
  PID:2692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 852
  2⤵
  - Program crash
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:3640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 588
    3⤵
    - Program crash
    PID:4780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 596
    3⤵
    - Program crash
    PID:5036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 588
    3⤵
    - Program crash
    PID:2832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 644
    3⤵
    - Program crash
    PID:236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 652
    3⤵
    - Program crash
    PID:1760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 760
    3⤵
    - Program crash
    PID:1596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 772
    3⤵
    - Program crash
    PID:1032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 932
    3⤵
    - Program crash
    PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 968
    3⤵
    - Program crash
    PID:1200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1008
    3⤵
    - Program crash
    PID:684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1016
    3⤵
    - Program crash
    PID:5072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1068
    3⤵
    - Program crash
    PID:3088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1208
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1452
    3⤵
    - Program crash
    PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1460
    3⤵
    - Program crash
    PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1496
    3⤵
    - Program crash
    PID:1372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1540
    3⤵
    - Program crash
    PID:2828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1520
    3⤵
    - Program crash
    PID:1084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 848
    3⤵
    - Program crash
    PID:1408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1200
  2⤵
  - Program crash
  PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 3380
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3380 -ip 3380
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3380 -ip 3380
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3380 -ip 3380
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3380 -ip 3380
1⤵
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3380 -ip 3380
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3380 -ip 3380
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3380 -ip 3380
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3380 -ip 3380
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3380 -ip 3380
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3640 -ip 3640
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3640 -ip 3640
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3640 -ip 3640
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3640 -ip 3640
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3640 -ip 3640
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3640 -ip 3640
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3640 -ip 3640
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3640 -ip 3640
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3640 -ip 3640
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3640 -ip 3640
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3640 -ip 3640
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3640 -ip 3640
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3640 -ip 3640
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3640 -ip 3640
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3640 -ip 3640
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3640 -ip 3640
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3640 -ip 3640
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3640 -ip 3640
1⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 480
  2⤵
  - Program crash
  PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1648 -ip 1648
1⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 472
  2⤵
  - Program crash
  PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2544 -ip 2544
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3640 -ip 3640
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 468
  2⤵
  - Program crash
  PID:3468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 512
  2⤵
  - Program crash
  PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2604 -ip 2604
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2604 -ip 2604
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\474490143322

Filesize
77KB

MD5
cb04ff102dfd64d183504054b3c977b6

SHA1
064cc7149356e8fba6468078131794b89dfb0595

SHA256
61ac8a832bbb8253d29be20da88a32fce7abe585dee919a40ee6a64d64849de4

SHA512
32bc5d103cf5b1a641ba0a6941bca480baea074ec063edea09dbd654774fcb12c9afc73c2589060762017373828c13d80d60d10b1409c6d540e6821ccba5b3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
516KB

MD5
3fce002625684b7bd4e5a79322083233

SHA1
7b92cc8308140e9b41d73397a4f3a3ff31f28cfd

SHA256
0308c57e878fee4fe7dd2e76497240d7947ff689e046e765183dc3bb4e9bc694

SHA512
7e26464bc69f825d6269dc471a15b833d4d2b872321ce9024e417de4deafd2f0482be85b0939c1f59abeb86f8fbcf8b8500b867fcc92e494ab9bb602702b7e6e

Download Submit
memory/1648-28-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/2544-48-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/2604-57-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/3380-18-0x0000000003940000-0x00000000039AF000-memory.dmp

Filesize
444KB

Download
memory/3380-1-0x0000000001F60000-0x0000000002060000-memory.dmp

Filesize
1024KB

Download
memory/3380-17-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/3380-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3380-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3380-2-0x0000000003940000-0x00000000039AF000-memory.dmp

Filesize
444KB

Download
memory/3640-24-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/3640-25-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/3640-16-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download
memory/3640-40-0x0000000000400000-0x0000000001BFC000-memory.dmp

Filesize
24.0MB

Download