amadey | 4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
13/06/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe
Size

488KB
MD5

8d2241d27e11c862a3bc70b8122880c9
SHA1

fb8f8bc25adb92606c2e074414f6aeff578ed6e8
SHA256

4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde
SHA512

2a827394ad22b0c81d94bd8295443d99dc1e79c5f8e9cc0bab6eca03ff5a4553501fda7f37768eb31862463e4b26495c7b94bb47cfa4c69a8f88ee4a82e55cf8
SSDEEP

6144:5GAzLWt1C7Pc0k34ejK/CgGLB0ZRzCTdFKPkAEAS43p8nzdi9mZMnj/pFOnfb:57St1GPgmibyHSKuzdigb

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
2292	Dctooux.exe
1100	Dctooux.exe
4280	Dctooux.exe
4540	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 33 IoCs

pid	pid_target	Process	procid_target
1832	3108	WerFault.exe	80
4604	3108	WerFault.exe	80
1552	3108	WerFault.exe	80
1484	3108	WerFault.exe	80
1404	3108	WerFault.exe	80
936	3108	WerFault.exe	80
2696	3108	WerFault.exe	80
1572	3108	WerFault.exe	80
652	3108	WerFault.exe	80
1416	3108	WerFault.exe	80
656	3108	WerFault.exe	80
3352	3108	WerFault.exe	80
4400	3108	WerFault.exe	80
2156	2292	WerFault.exe	106
3308	2292	WerFault.exe	106
1736	2292	WerFault.exe	106
4744	2292	WerFault.exe	106
2744	2292	WerFault.exe	106
3080	2292	WerFault.exe	106
1436	2292	WerFault.exe	106
4048	2292	WerFault.exe	106
1424	2292	WerFault.exe	106
1592	2292	WerFault.exe	106
3988	2292	WerFault.exe	106
2952	2292	WerFault.exe	106
2656	2292	WerFault.exe	106
4476	2292	WerFault.exe	106
2676	2292	WerFault.exe	106
2700	2292	WerFault.exe	106
2668	1100	WerFault.exe	142
4980	4280	WerFault.exe	145
4224	2292	WerFault.exe	106
4820	4540	WerFault.exe	150

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3108	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2292	3108	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe	106
PID 3108 wrote to memory of 2292	3108	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe	106
PID 3108 wrote to memory of 2292	3108	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe	106

C:\Users\Admin\AppData\Local\Temp\4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe
"C:\Users\Admin\AppData\Local\Temp\4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 776
  2⤵
  - Program crash
  PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 760
  2⤵
  - Program crash
  PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 876
  2⤵
  - Program crash
  PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 880
  2⤵
  - Program crash
  PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 952
  2⤵
  - Program crash
  PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 924
  2⤵
  - Program crash
  PID:936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 932
  2⤵
  - Program crash
  PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1060
  2⤵
  - Program crash
  PID:1572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1132
  2⤵
  - Program crash
  PID:652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1456
  2⤵
  - Program crash
  PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 812
  2⤵
  - Program crash
  PID:656
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:2292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 500
    3⤵
    - Program crash
    PID:2156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 592
    3⤵
    - Program crash
    PID:3308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 620
    3⤵
    - Program crash
    PID:1736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 644
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 752
    3⤵
    - Program crash
    PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 780
    3⤵
    - Program crash
    PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 928
    3⤵
    - Program crash
    PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 948
    3⤵
    - Program crash
    PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1016
    3⤵
    - Program crash
    PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 992
    3⤵
    - Program crash
    PID:1592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1064
    3⤵
    - Program crash
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1204
    3⤵
    - Program crash
    PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1452
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1384
    3⤵
    - Program crash
    PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1408
    3⤵
    - Program crash
    PID:2676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1384
    3⤵
    - Program crash
    PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 852
    3⤵
    - Program crash
    PID:4224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 900
  2⤵
  - Program crash
  PID:3352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1268
  2⤵
  - Program crash
  PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3108 -ip 3108
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3108 -ip 3108
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3108 -ip 3108
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3108 -ip 3108
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3108 -ip 3108
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3108 -ip 3108
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3108 -ip 3108
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3108 -ip 3108
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3108 -ip 3108
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3108 -ip 3108
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3108 -ip 3108
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3108 -ip 3108
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2292 -ip 2292
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2292 -ip 2292
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2292 -ip 2292
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2292 -ip 2292
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2292 -ip 2292
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2292 -ip 2292
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2292 -ip 2292
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2292 -ip 2292
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2292 -ip 2292
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2292 -ip 2292
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2292 -ip 2292
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2292 -ip 2292
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2292 -ip 2292
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2292 -ip 2292
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2292 -ip 2292
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2292 -ip 2292
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 480
  2⤵
  - Program crash
  PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1100 -ip 1100
1⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 472
  2⤵
  - Program crash
  PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4280 -ip 4280
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2292 -ip 2292
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 472
  2⤵
  - Program crash
  PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4540 -ip 4540
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\524922173293

Filesize
80KB

MD5
bf95358968d8c864c751f839c94df8e6

SHA1
4a77152b68dbd10b8f00d023ca427245d766f980

SHA256
432fe22bd5cc21d412e3c952b5c8d51ae2d0ad81adf306b9cce1ac5b363d13b0

SHA512
9a24d6e716650e4457fb0a8e51d27f14563295e445cd0e39d641afcbe02618350690f1eac1a443ed34594a949f881b5146bcd260d736340a56f1e497727cd7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
488KB

MD5
8d2241d27e11c862a3bc70b8122880c9

SHA1
fb8f8bc25adb92606c2e074414f6aeff578ed6e8

SHA256
4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde

SHA512
2a827394ad22b0c81d94bd8295443d99dc1e79c5f8e9cc0bab6eca03ff5a4553501fda7f37768eb31862463e4b26495c7b94bb47cfa4c69a8f88ee4a82e55cf8

Download Submit
memory/1100-38-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/2292-35-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/2292-16-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3108-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3108-18-0x00000000040A0000-0x000000000410B000-memory.dmp

Filesize
428KB

Download
memory/3108-17-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3108-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3108-2-0x00000000040A0000-0x000000000410B000-memory.dmp

Filesize
428KB

Download
memory/3108-1-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/4280-47-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/4540-56-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download