amadey | 50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/06/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe
Size

463KB
MD5

d050994189d9d5b50c01a76dfecc36c5
SHA1

020c7288bb31b10e1da24a707aaeed669e745067
SHA256

50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638
SHA512

d9cca2f76ece54aef9f9f7aa65a4bd207786fb4fac77c7bb7356674a344856f63ec45f28020993732485b6b65489c448d42b84cb032cabae40e1e0ae5d4d7575
SSDEEP

6144:eFbSEEnlhAoNJ9n+mB/WLLeQkBtbWmUIbaQwfRT2+t5e4Pv0ApGukISvTH:elEnzNrnrwLLUBUmUTQw3reC0A0ukvH

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1492	Dctooux.exe
2648	Dctooux.exe
3340	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4896	1956	WerFault.exe	78
1056	1956	WerFault.exe	78
440	1956	WerFault.exe	78
2320	1956	WerFault.exe	78
1936	1956	WerFault.exe	78
3200	1956	WerFault.exe	78
3176	1956	WerFault.exe	78
3700	1956	WerFault.exe	78
2908	1956	WerFault.exe	78
1160	1956	WerFault.exe	78
1708	1492	WerFault.exe	99
2576	1492	WerFault.exe	99
1624	1492	WerFault.exe	99
3584	1492	WerFault.exe	99
4092	1492	WerFault.exe	99
1208	1492	WerFault.exe	99
4736	1492	WerFault.exe	99
5084	1492	WerFault.exe	99
4296	1492	WerFault.exe	99
4232	1492	WerFault.exe	99
2772	1492	WerFault.exe	99
3980	1492	WerFault.exe	99
4288	1492	WerFault.exe	99
2928	1492	WerFault.exe	99
2024	1492	WerFault.exe	99
3520	1492	WerFault.exe	99
1740	1492	WerFault.exe	99
1544	2648	WerFault.exe	136
3544	3340	WerFault.exe	139
644	1492	WerFault.exe	99

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1956	50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1492	1956	50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe	99
PID 1956 wrote to memory of 1492	1956	50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe	99
PID 1956 wrote to memory of 1492	1956	50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe	99

C:\Users\Admin\AppData\Local\Temp\50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe
"C:\Users\Admin\AppData\Local\Temp\50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
  2⤵
  - Program crash
  PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 792
  2⤵
  - Program crash
  PID:1056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 836
  2⤵
  - Program crash
  PID:440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 948
  2⤵
  - Program crash
  PID:2320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 968
  2⤵
  - Program crash
  PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 960
  2⤵
  - Program crash
  PID:3200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 920
  2⤵
  - Program crash
  PID:3176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 924
  2⤵
  - Program crash
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1132
  2⤵
  - Program crash
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 588
    3⤵
    - Program crash
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 628
    3⤵
    - Program crash
    PID:2576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 624
    3⤵
    - Program crash
    PID:1624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 644
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 680
    3⤵
    - Program crash
    PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 760
    3⤵
    - Program crash
    PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 804
    3⤵
    - Program crash
    PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 912
    3⤵
    - Program crash
    PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 952
    3⤵
    - Program crash
    PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 928
    3⤵
    - Program crash
    PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 972
    3⤵
    - Program crash
    PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1068
    3⤵
    - Program crash
    PID:3980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1212
    3⤵
    - Program crash
    PID:4288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1452
    3⤵
    - Program crash
    PID:2928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1388
    3⤵
    - Program crash
    PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1392
    3⤵
    - Program crash
    PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1500
    3⤵
    - Program crash
    PID:1740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 860
    3⤵
    - Program crash
    PID:644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1180
  2⤵
  - Program crash
  PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1956 -ip 1956
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1956 -ip 1956
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1956 -ip 1956
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1956 -ip 1956
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1956 -ip 1956
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1956 -ip 1956
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1956 -ip 1956
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 1956
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1956 -ip 1956
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1492 -ip 1492
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1492 -ip 1492
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1492 -ip 1492
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1492 -ip 1492
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1492 -ip 1492
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1492 -ip 1492
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1492 -ip 1492
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1492 -ip 1492
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1492 -ip 1492
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1492 -ip 1492
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1492 -ip 1492
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1492 -ip 1492
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1492 -ip 1492
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1492 -ip 1492
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1492 -ip 1492
1⤵
PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1492 -ip 1492
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1492 -ip 1492
1⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 476
  2⤵
  - Program crash
  PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2648 -ip 2648
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 472
  2⤵
  - Program crash
  PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3340 -ip 3340
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1492 -ip 1492
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001105534270

Filesize
78KB

MD5
b804526b09eafc47f4d6540910e6f033

SHA1
835d0d078fcb7d655140832578a987d020fba130

SHA256
9049ece7847a584005a6fea6d701a5a8f156a845f20a36003deb7c39df558682

SHA512
a736bddc0cb8090caa80a0ac8b4436165c841bf1d1c6abc5132dfac29f6731faea53ada6512dd87bc86c7d805e1399f05dc0bb317424f1349cdbc561c8017c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
463KB

MD5
d050994189d9d5b50c01a76dfecc36c5

SHA1
020c7288bb31b10e1da24a707aaeed669e745067

SHA256
50b48f276b25a3a101835d47ff305f97a8c3bc464674fd050b6d6dcd77e7b638

SHA512
d9cca2f76ece54aef9f9f7aa65a4bd207786fb4fac77c7bb7356674a344856f63ec45f28020993732485b6b65489c448d42b84cb032cabae40e1e0ae5d4d7575

Download Submit
memory/1492-42-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1492-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1492-29-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1492-28-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1492-23-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1956-19-0x00000000021F0000-0x000000000225F000-memory.dmp

Filesize
444KB

Download
memory/1956-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1956-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1956-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1956-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/1956-2-0x00000000021F0000-0x000000000225F000-memory.dmp

Filesize
444KB

Download
memory/2648-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2648-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3340-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download