amadey | 70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
14-06-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe
Size

463KB
MD5

d20a3d88ce4efcf17d5af475e5cf4370
SHA1

7b7231f10aed63c58445efd9fd1e40a0df163acc
SHA256

70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c
SHA512

65c4d56579c68697be9836e8df33d4ce0a43fb0c92cd63337bce5a55305017a637518b4dfbf18ee24433d461bbcb14f1b58e736910d9dbd42d9f57f48747089d
SSDEEP

6144:aFbHHkE8Nd8FJe8OMTNdkPDGzmCPdu1cxtcsz+fCOfc2YafSD5z38GzJSvTH:aRkpuve8tfriCPkivzqCecFlzZUH

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
4080	Dctooux.exe
32	Dctooux.exe
2968	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
4904	4172	WerFault.exe	79
2472	4172	WerFault.exe	79
3460	4172	WerFault.exe	79
3428	4172	WerFault.exe	79
1224	4172	WerFault.exe	79
4964	4172	WerFault.exe	79
1444	4172	WerFault.exe	79
4688	4172	WerFault.exe	79
2980	4172	WerFault.exe	79
2772	4172	WerFault.exe	79
540	4080	WerFault.exe	105
240	4080	WerFault.exe	105
4416	4080	WerFault.exe	105
2868	4080	WerFault.exe	105
1904	4080	WerFault.exe	105
2616	4080	WerFault.exe	105
2420	4080	WerFault.exe	105
4768	4080	WerFault.exe	105
2044	4080	WerFault.exe	105
2576	4080	WerFault.exe	105
4300	4080	WerFault.exe	105
2340	4080	WerFault.exe	105
1644	4080	WerFault.exe	105
872	4080	WerFault.exe	105
4908	4080	WerFault.exe	105
2328	4080	WerFault.exe	105
3088	4080	WerFault.exe	105
3872	32	WerFault.exe	143
5020	2968	WerFault.exe	148
4436	4080	WerFault.exe	105

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4172	70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4080	4172	70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe	105
PID 4172 wrote to memory of 4080	4172	70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe	105
PID 4172 wrote to memory of 4080	4172	70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe	105

C:\Users\Admin\AppData\Local\Temp\70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe
"C:\Users\Admin\AppData\Local\Temp\70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 572
  2⤵
  - Program crash
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 820
  2⤵
  - Program crash
  PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 876
  2⤵
  - Program crash
  PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 932
  2⤵
  - Program crash
  PID:3428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 876
  2⤵
  - Program crash
  PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 876
  2⤵
  - Program crash
  PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 960
  2⤵
  - Program crash
  PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1036
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1132
  2⤵
  - Program crash
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 588
    3⤵
    - Program crash
    PID:540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 632
    3⤵
    - Program crash
    PID:240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 660
    3⤵
    - Program crash
    PID:4416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 696
    3⤵
    - Program crash
    PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 740
    3⤵
    - Program crash
    PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 772
    3⤵
    - Program crash
    PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 904
    3⤵
    - Program crash
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 936
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 956
    3⤵
    - Program crash
    PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 752
    3⤵
    - Program crash
    PID:2576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 984
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1068
    3⤵
    - Program crash
    PID:2340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1204
    3⤵
    - Program crash
    PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1452
    3⤵
    - Program crash
    PID:872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1480
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1464
    3⤵
    - Program crash
    PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1528
    3⤵
    - Program crash
    PID:3088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 888
    3⤵
    - Program crash
    PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1180
  2⤵
  - Program crash
  PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4172 -ip 4172
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4172 -ip 4172
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4172 -ip 4172
1⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4172 -ip 4172
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4172 -ip 4172
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4172 -ip 4172
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4172 -ip 4172
1⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4172 -ip 4172
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4172 -ip 4172
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4172 -ip 4172
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4080 -ip 4080
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4080 -ip 4080
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4080 -ip 4080
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4080 -ip 4080
1⤵
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4080 -ip 4080
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4080 -ip 4080
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4080 -ip 4080
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4080 -ip 4080
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4080 -ip 4080
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4080 -ip 4080
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4080 -ip 4080
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4080 -ip 4080
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4080 -ip 4080
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4080 -ip 4080
1⤵
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4080 -ip 4080
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:32
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 472
  2⤵
  - Program crash
  PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 32 -ip 32
1⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 472
  2⤵
  - Program crash
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2968 -ip 2968
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4080 -ip 4080
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\524922173293

Filesize
82KB

MD5
f36659db2f49dddd7c3affbff5d1797c

SHA1
eb72bc02cbc03f3eae8dd679d6f2fb73d3ac7754

SHA256
5a4741838556f4e308b044147e61cd34c96528ec93734e47d00dc91f70ec11e2

SHA512
80de529cc6147dfd8612d5b6aad52dae094fd242db820568d2ef51ae533aefc25254063ee9d165dee083d28b024f59645b22bb20bd84b872c09f9e1a56782197

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
463KB

MD5
d20a3d88ce4efcf17d5af475e5cf4370

SHA1
7b7231f10aed63c58445efd9fd1e40a0df163acc

SHA256
70719c9030f6a556fb9769db5820fb369b5e6e6967651882aba35b3f9476dc1c

SHA512
65c4d56579c68697be9836e8df33d4ce0a43fb0c92cd63337bce5a55305017a637518b4dfbf18ee24433d461bbcb14f1b58e736910d9dbd42d9f57f48747089d

Download Submit
memory/32-45-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/32-47-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/32-46-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/32-44-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2968-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4080-39-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4080-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4080-38-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4172-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4172-2-0x0000000000920000-0x000000000098F000-memory.dmp

Filesize
444KB

Download
memory/4172-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4172-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4172-19-0x0000000000920000-0x000000000098F000-memory.dmp

Filesize
444KB

Download
memory/4172-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download