amadey | 4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842

Analysis

max time kernel
148s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe
Size

455KB
MD5

1f1403ec9b3f22e74f103ba830d057b9
SHA1

3e0eda6ac7523009dcff1b39b8b95f07d906d5eb
SHA256

4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842
SHA512

a00b53a51924b0d35246e1b4db5af7b49b74e25cbb064406acdbbf95d1f0a827038303780b2669d72e7fd1e087193cd20c6f9cb0ad47f8c609f1dbb45724aabc
SSDEEP

6144:/O/odTI5BVutOpVLMbkI+iHBVI+hHRJVxEVzhbyzJjiCl6XRpagzWhkDCIOu4TL:2/mMFuOpV2kI+/wXsbbyzJjtoBpFG//

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe

Executes dropped EXE 3 IoCs

pid	Process
4552	Dctooux.exe
4336	Dctooux.exe
1156	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 36 IoCs

pid	pid_target	Process	procid_target
2912	3964	WerFault.exe	80
464	3964	WerFault.exe	80
2588	3964	WerFault.exe	80
692	3964	WerFault.exe	80
4220	3964	WerFault.exe	80
5044	3964	WerFault.exe	80
2152	3964	WerFault.exe	80
4892	3964	WerFault.exe	80
1664	3964	WerFault.exe	80
5088	3964	WerFault.exe	80
3192	3964	WerFault.exe	80
4016	3964	WerFault.exe	80
5016	3964	WerFault.exe	80
2008	4552	WerFault.exe	103
1228	4552	WerFault.exe	103
1964	4552	WerFault.exe	103
884	4552	WerFault.exe	103
4956	4552	WerFault.exe	103
3568	4552	WerFault.exe	103
2384	4552	WerFault.exe	103
3592	4552	WerFault.exe	103
2836	4552	WerFault.exe	103
4252	4552	WerFault.exe	103
1260	4552	WerFault.exe	103
2488	4552	WerFault.exe	103
224	4552	WerFault.exe	103
1672	4552	WerFault.exe	103
1436	4552	WerFault.exe	103
1176	4552	WerFault.exe	103
3368	4336	WerFault.exe	146
2424	4336	WerFault.exe	146
2572	4336	WerFault.exe	146
3284	1156	WerFault.exe	158
1160	1156	WerFault.exe	158
2824	1156	WerFault.exe	158
3868	4552	WerFault.exe	103

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3964	4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4552	3964	4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe	103
PID 3964 wrote to memory of 4552	3964	4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe	103
PID 3964 wrote to memory of 4552	3964	4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe	103

C:\Users\Admin\AppData\Local\Temp\4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe
"C:\Users\Admin\AppData\Local\Temp\4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 756
  2⤵
  - Program crash
  PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 800
  2⤵
  - Program crash
  PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 856
  2⤵
  - Program crash
  PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 904
  2⤵
  - Program crash
  PID:692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 928
  2⤵
  - Program crash
  PID:4220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 932
  2⤵
  - Program crash
  PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1132
  2⤵
  - Program crash
  PID:2152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1136
  2⤵
  - Program crash
  PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1320
  2⤵
  - Program crash
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 556
    3⤵
    - Program crash
    PID:2008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 576
    3⤵
    - Program crash
    PID:1228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 580
    3⤵
    - Program crash
    PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 648
    3⤵
    - Program crash
    PID:884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 704
    3⤵
    - Program crash
    PID:4956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 884
    3⤵
    - Program crash
    PID:3568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 920
    3⤵
    - Program crash
    PID:2384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 884
    3⤵
    - Program crash
    PID:3592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 724
    3⤵
    - Program crash
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 992
    3⤵
    - Program crash
    PID:4252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1016
    3⤵
    - Program crash
    PID:1260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1180
    3⤵
    - Program crash
    PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1408
    3⤵
    - Program crash
    PID:224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1368
    3⤵
    - Program crash
    PID:1672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1208
    3⤵
    - Program crash
    PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1476
    3⤵
    - Program crash
    PID:1176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 888
    3⤵
    - Program crash
    PID:3868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1056
  2⤵
  - Program crash
  PID:5088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1068
  2⤵
  - Program crash
  PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1092
  2⤵
  - Program crash
  PID:4016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1312
  2⤵
  - Program crash
  PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 3964
1⤵
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3964 -ip 3964
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3964 -ip 3964
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3964 -ip 3964
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3964 -ip 3964
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3964 -ip 3964
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3964 -ip 3964
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3964 -ip 3964
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3964 -ip 3964
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3964 -ip 3964
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3964 -ip 3964
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3964 -ip 3964
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3964 -ip 3964
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4552 -ip 4552
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4552 -ip 4552
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4552 -ip 4552
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4552 -ip 4552
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4552 -ip 4552
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4552 -ip 4552
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4552 -ip 4552
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4552 -ip 4552
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4552 -ip 4552
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4552 -ip 4552
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4552 -ip 4552
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4552 -ip 4552
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4552 -ip 4552
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4552 -ip 4552
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4552 -ip 4552
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4552 -ip 4552
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 440
  2⤵
  - Program crash
  PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 448
  2⤵
  - Program crash
  PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 496
  2⤵
  - Program crash
  PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4336 -ip 4336
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4336 -ip 4336
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4336 -ip 4336
1⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 440
  2⤵
  - Program crash
  PID:3284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 448
  2⤵
  - Program crash
  PID:1160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 460
  2⤵
  - Program crash
  PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1156 -ip 1156
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1156 -ip 1156
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 1156 -ip 1156
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4552 -ip 4552
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\337824034273

Filesize
80KB

MD5
cbcf00d2ada2d05d361c90beefe908a7

SHA1
1fda5d0991f78241d120d580d3244fe60048439f

SHA256
451166c191f5b8cfc3f3622f3b61e9453988ab95961b4a42f2f7977ce2dadc3d

SHA512
6391d51e0df361f919c6854a44c00f55975586136cefb81dba7ff0e66a48c1c18597e865040a72a47317a8efe1eb73525688efa0e55208f40b32dbc11491ec1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
455KB

MD5
1f1403ec9b3f22e74f103ba830d057b9

SHA1
3e0eda6ac7523009dcff1b39b8b95f07d906d5eb

SHA256
4122bda2bff849b89259410bd1b4dd4849458035cb41a5206ba3d8ba065b6842

SHA512
a00b53a51924b0d35246e1b4db5af7b49b74e25cbb064406acdbbf95d1f0a827038303780b2669d72e7fd1e087193cd20c6f9cb0ad47f8c609f1dbb45724aabc

Download Submit
memory/1156-57-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1156-58-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3964-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3964-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3964-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3964-19-0x0000000000740000-0x00000000007AB000-memory.dmp

Filesize
428KB

Download
memory/3964-2-0x0000000000740000-0x00000000007AB000-memory.dmp

Filesize
428KB

Download
memory/3964-1-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/4336-45-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4336-48-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4336-47-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4336-46-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4552-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4552-41-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4552-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4552-23-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4552-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download