amadey | 0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/06/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe
Size

494KB
MD5

aee5bec1f5ecaa221f1bb2db4f7c6eb5
SHA1

1f2a086f422fafc87712fee047839b53d1b86c78
SHA256

0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7
SHA512

07d40d655c6a7c93e0c9b34e0624b4cb134569c1c5f35a00c7d84500f879171e83bda35fd216031d51b6ee6371b439cfcbb1fba2a7261cdfd0bb4ca9ec2e55f7
SSDEEP

6144:0BvLPka847krJpIBaqnfQ/O9PWwtD69etL8etDf18UmS2worfb:KvTka8WkVyBBSguW868etTW/

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
2288	Dctooux.exe
444	Dctooux.exe
864	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1868	3304	WerFault.exe	76
4092	3304	WerFault.exe	76
1976	3304	WerFault.exe	76
4812	3304	WerFault.exe	76
1064	3304	WerFault.exe	76
1672	3304	WerFault.exe	76
2120	3304	WerFault.exe	76
4232	3304	WerFault.exe	76
4740	3304	WerFault.exe	76
1600	3304	WerFault.exe	76
1896	2288	WerFault.exe	96
4948	2288	WerFault.exe	96
1060	2288	WerFault.exe	96
904	2288	WerFault.exe	96
3792	2288	WerFault.exe	96
4184	2288	WerFault.exe	96
3872	2288	WerFault.exe	96
2972	2288	WerFault.exe	96
3892	2288	WerFault.exe	96
704	2288	WerFault.exe	96
1068	2288	WerFault.exe	96
4484	2288	WerFault.exe	96
5060	2288	WerFault.exe	96
912	2288	WerFault.exe	96
3296	2288	WerFault.exe	96
4272	2288	WerFault.exe	96
4036	2288	WerFault.exe	96
752	2288	WerFault.exe	96
4968	444	WerFault.exe	135
4488	864	WerFault.exe	138
3768	2288	WerFault.exe	96

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3304	0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 2288	3304	0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe	96
PID 3304 wrote to memory of 2288	3304	0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe	96
PID 3304 wrote to memory of 2288	3304	0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe	96

C:\Users\Admin\AppData\Local\Temp\0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe
"C:\Users\Admin\AppData\Local\Temp\0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 776
  2⤵
  - Program crash
  PID:1868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 820
  2⤵
  - Program crash
  PID:4092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 836
  2⤵
  - Program crash
  PID:1976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 932
  2⤵
  - Program crash
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 936
  2⤵
  - Program crash
  PID:1064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 964
  2⤵
  - Program crash
  PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 836
  2⤵
  - Program crash
  PID:2120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 836
  2⤵
  - Program crash
  PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1132
  2⤵
  - Program crash
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 588
    3⤵
    - Program crash
    PID:1896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 608
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 600
    3⤵
    - Program crash
    PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 640
    3⤵
    - Program crash
    PID:904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 648
    3⤵
    - Program crash
    PID:3792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 768
    3⤵
    - Program crash
    PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 900
    3⤵
    - Program crash
    PID:3872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 908
    3⤵
    - Program crash
    PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 952
    3⤵
    - Program crash
    PID:3892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 992
    3⤵
    - Program crash
    PID:704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1012
    3⤵
    - Program crash
    PID:1068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1028
    3⤵
    - Program crash
    PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1048
    3⤵
    - Program crash
    PID:5060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1248
    3⤵
    - Program crash
    PID:912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1336
    3⤵
    - Program crash
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1500
    3⤵
    - Program crash
    PID:4272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1336
    3⤵
    - Program crash
    PID:4036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1524
    3⤵
    - Program crash
    PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 944
    3⤵
    - Program crash
    PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 1176
  2⤵
  - Program crash
  PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3304 -ip 3304
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3304 -ip 3304
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3304 -ip 3304
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3304 -ip 3304
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3304 -ip 3304
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3304 -ip 3304
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3304 -ip 3304
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3304 -ip 3304
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3304 -ip 3304
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3304 -ip 3304
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2288 -ip 2288
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2288 -ip 2288
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2288 -ip 2288
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2288 -ip 2288
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2288 -ip 2288
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2288 -ip 2288
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2288 -ip 2288
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2288 -ip 2288
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2288 -ip 2288
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2288 -ip 2288
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2288 -ip 2288
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2288 -ip 2288
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2288 -ip 2288
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2288 -ip 2288
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2288 -ip 2288
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2288 -ip 2288
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2288 -ip 2288
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2288 -ip 2288
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 472
  2⤵
  - Program crash
  PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 444 -ip 444
1⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 472
  2⤵
  - Program crash
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 864 -ip 864
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2288 -ip 2288
1⤵
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\672260578815

Filesize
75KB

MD5
87f96dfefa0df85173990892ac3b0b80

SHA1
62750072f7cc9594fb06a84884c7f06dee955351

SHA256
5ab928b65f5c1a330053e90780cacddd557e84b46a5c5ac4e10844d97e507f0f

SHA512
a2f7c93aafe3a345dda8e6fb39acb698e3396df6bd888a1e52406ef78d5b69e059b79be5af56a5549fe81adbb4a76c3baf71138523a7228e458af980757d2344

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
494KB

MD5
aee5bec1f5ecaa221f1bb2db4f7c6eb5

SHA1
1f2a086f422fafc87712fee047839b53d1b86c78

SHA256
0c285d000cd625dca558999244bd59ff813e6d54f88980e4b3c94287777c44b7

SHA512
07d40d655c6a7c93e0c9b34e0624b4cb134569c1c5f35a00c7d84500f879171e83bda35fd216031d51b6ee6371b439cfcbb1fba2a7261cdfd0bb4ca9ec2e55f7

Download Submit
memory/444-44-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/864-53-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/2288-25-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/2288-17-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/2288-26-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/2288-16-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/2288-39-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/3304-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3304-19-0x00000000040F0000-0x000000000415F000-memory.dmp

Filesize
444KB

Download
memory/3304-18-0x0000000000400000-0x0000000002398000-memory.dmp

Filesize
31.6MB

Download
memory/3304-1-0x0000000002650000-0x0000000002750000-memory.dmp

Filesize
1024KB

Download
memory/3304-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3304-2-0x00000000040F0000-0x000000000415F000-memory.dmp

Filesize
444KB

Download