amadey | e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe
Size

470KB
MD5

d1759a47ff11caac001d51b4134f75c3
SHA1

627999cfe3d9f933f3c6e4a42476ee91387855f0
SHA256

e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273
SHA512

c670f25b12aa32da5552ad5ffefa19ab2c594f52c589de8055f0684aa2e2297646fef7d9d2652b0b14454e8a9c35f13c5d5f31dc75296079a6571515b5824495
SSDEEP

12288:4lBQ9JZZ2jRpQtvRmNY9rWvixv5JCg/8:t9UjUtoG9kid5JhU

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe

Executes dropped EXE 4 IoCs

pid	Process
5080	Dctooux.exe
3616	Dctooux.exe
1708	Dctooux.exe
4564	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
3920	1428	WerFault.exe	80
3444	1428	WerFault.exe	80
2184	1428	WerFault.exe	80
2044	1428	WerFault.exe	80
1192	1428	WerFault.exe	80
3020	1428	WerFault.exe	80
3644	1428	WerFault.exe	80
4336	1428	WerFault.exe	80
2828	1428	WerFault.exe	80
4852	1428	WerFault.exe	80
3040	5080	WerFault.exe	106
4640	5080	WerFault.exe	106
3240	5080	WerFault.exe	106
2256	5080	WerFault.exe	106
4108	5080	WerFault.exe	106
4116	5080	WerFault.exe	106
3908	5080	WerFault.exe	106
2056	5080	WerFault.exe	106
4564	5080	WerFault.exe	106
4560	5080	WerFault.exe	106
3808	5080	WerFault.exe	106
4812	5080	WerFault.exe	106
3420	5080	WerFault.exe	106
2900	5080	WerFault.exe	106
5068	5080	WerFault.exe	106
3636	3616	WerFault.exe	139
4508	1708	WerFault.exe	145
2424	5080	WerFault.exe	106
3620	4564	WerFault.exe	150
3760	4564	WerFault.exe	150

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1428	e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 5080	1428	e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe	106
PID 1428 wrote to memory of 5080	1428	e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe	106
PID 1428 wrote to memory of 5080	1428	e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe	106

C:\Users\Admin\AppData\Local\Temp\e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe
"C:\Users\Admin\AppData\Local\Temp\e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 768
  2⤵
  - Program crash
  PID:3920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 780
  2⤵
  - Program crash
  PID:3444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 860
  2⤵
  - Program crash
  PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 924
  2⤵
  - Program crash
  PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 932
  2⤵
  - Program crash
  PID:1192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 972
  2⤵
  - Program crash
  PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1140
  2⤵
  - Program crash
  PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1248
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1268
  2⤵
  - Program crash
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 556
    3⤵
    - Program crash
    PID:3040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 576
    3⤵
    - Program crash
    PID:4640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 564
    3⤵
    - Program crash
    PID:3240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 648
    3⤵
    - Program crash
    PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 724
    3⤵
    - Program crash
    PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 852
    3⤵
    - Program crash
    PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 924
    3⤵
    - Program crash
    PID:3908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 944
    3⤵
    - Program crash
    PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 964
    3⤵
    - Program crash
    PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 960
    3⤵
    - Program crash
    PID:4560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 892
    3⤵
    - Program crash
    PID:3808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1156
    3⤵
    - Program crash
    PID:4812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1404
    3⤵
    - Program crash
    PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1448
    3⤵
    - Program crash
    PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1472
    3⤵
    - Program crash
    PID:5068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 928
    3⤵
    - Program crash
    PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1664
  2⤵
  - Program crash
  PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1428 -ip 1428
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1428 -ip 1428
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1428 -ip 1428
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1428 -ip 1428
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1428 -ip 1428
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1428 -ip 1428
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1428 -ip 1428
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1428 -ip 1428
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1428 -ip 1428
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1428 -ip 1428
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5080 -ip 5080
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5080 -ip 5080
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5080 -ip 5080
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5080 -ip 5080
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5080 -ip 5080
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5080 -ip 5080
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5080 -ip 5080
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5080 -ip 5080
1⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 440
  2⤵
  - Program crash
  PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3616 -ip 3616
1⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 440
  2⤵
  - Program crash
  PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1708 -ip 1708
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5080 -ip 5080
1⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 436
  2⤵
  - Program crash
  PID:3620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 444
  2⤵
  - Program crash
  PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4564 -ip 4564
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4564 -ip 4564
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\004059303877

Filesize
84KB

MD5
60b50bb9be524e1c8a8e848385c6bbd8

SHA1
2a6e599904e5ff1e40ba66d48c604d01073b7af0

SHA256
9cdb3d83193e92b27268ed64afd8ef6e49629f8e22e590ba8bf3e2f8d28e2822

SHA512
0fa9e9471062bb4551e5a144c02187d69dce0a8b47ac7f045d1b84d8b0d8853cf5eaa18f50486331924844f1c605e86018645f0663777d3b732914d882d8ae11

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
470KB

MD5
d1759a47ff11caac001d51b4134f75c3

SHA1
627999cfe3d9f933f3c6e4a42476ee91387855f0

SHA256
e87ba73254f36e2459128a68d34aaea0eb7f9b5c9c12e96d3ecdd47cabca9273

SHA512
c670f25b12aa32da5552ad5ffefa19ab2c594f52c589de8055f0684aa2e2297646fef7d9d2652b0b14454e8a9c35f13c5d5f31dc75296079a6571515b5824495

Download Submit
memory/1428-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1428-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1428-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1428-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1428-19-0x0000000000730000-0x000000000079B000-memory.dmp

Filesize
428KB

Download
memory/1428-2-0x0000000000730000-0x000000000079B000-memory.dmp

Filesize
428KB

Download
memory/1708-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1708-54-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3616-44-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3616-45-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4564-64-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5080-40-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5080-24-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5080-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5080-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download