amadey | 00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654

Analysis

max time kernel
147s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16/06/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe
Size

470KB
MD5

4ace07145854a92831c064a173100383
SHA1

dea1676e2b6d7033686333948ff6f810d12e3793
SHA256

00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654
SHA512

2bfa8b49b4113f1b22017a9a56b2fe22875dabb384e2b49e4b388f051630a47b4cb6c895e1ee75e836ffb9eecebb2cdb31e32f298bfed905a4a9ef92aa46a2f4
SSDEEP

6144:J10iMdXq004Q3kLnfJKASLdDw6g5VSJKRa5FvJiAIhWXqAEIOubTi:ZkXD04DLnfyDIrRwJiuqH/8

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
2196	Dctooux.exe
4488	Dctooux.exe
4628	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
2368	416	WerFault.exe	78
1800	416	WerFault.exe	78
3928	416	WerFault.exe	78
4292	416	WerFault.exe	78
4760	416	WerFault.exe	78
1132	416	WerFault.exe	78
4488	416	WerFault.exe	78
1448	416	WerFault.exe	78
4816	416	WerFault.exe	78
380	416	WerFault.exe	78
4520	416	WerFault.exe	78
1656	2196	WerFault.exe	101
2148	2196	WerFault.exe	101
2572	2196	WerFault.exe	101
2740	2196	WerFault.exe	101
2560	2196	WerFault.exe	101
4108	2196	WerFault.exe	101
1512	2196	WerFault.exe	101
1188	2196	WerFault.exe	101
3116	2196	WerFault.exe	101
3468	2196	WerFault.exe	101
3280	2196	WerFault.exe	101
1296	2196	WerFault.exe	101
2496	2196	WerFault.exe	101
2548	2196	WerFault.exe	101
3076	2196	WerFault.exe	101
4592	2196	WerFault.exe	101
1052	2196	WerFault.exe	101
4908	2196	WerFault.exe	101
992	4488	WerFault.exe	141
2348	4628	WerFault.exe	144
3864	2196	WerFault.exe	101

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
416	00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 2196	416	00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe	101
PID 416 wrote to memory of 2196	416	00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe	101
PID 416 wrote to memory of 2196	416	00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe	101

C:\Users\Admin\AppData\Local\Temp\00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe
"C:\Users\Admin\AppData\Local\Temp\00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 776
  2⤵
  - Program crash
  PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 804
  2⤵
  - Program crash
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 840
  2⤵
  - Program crash
  PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 944
  2⤵
  - Program crash
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 948
  2⤵
  - Program crash
  PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 984
  2⤵
  - Program crash
  PID:1132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 928
  2⤵
  - Program crash
  PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 928
  2⤵
  - Program crash
  PID:1448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1132
  2⤵
  - Program crash
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 588
    3⤵
    - Program crash
    PID:1656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 596
    3⤵
    - Program crash
    PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 608
    3⤵
    - Program crash
    PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 652
    3⤵
    - Program crash
    PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 588
    3⤵
    - Program crash
    PID:2560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 760
    3⤵
    - Program crash
    PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 900
    3⤵
    - Program crash
    PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 920
    3⤵
    - Program crash
    PID:1188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 900
    3⤵
    - Program crash
    PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 964
    3⤵
    - Program crash
    PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 764
    3⤵
    - Program crash
    PID:3280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1068
    3⤵
    - Program crash
    PID:1296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1196
    3⤵
    - Program crash
    PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1452
    3⤵
    - Program crash
    PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1404
    3⤵
    - Program crash
    PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1488
    3⤵
    - Program crash
    PID:4592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1512
    3⤵
    - Program crash
    PID:1052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1536
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 904
    3⤵
    - Program crash
    PID:3864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1552
  2⤵
  - Program crash
  PID:380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1556
  2⤵
  - Program crash
  PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 416 -ip 416
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 416 -ip 416
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 416 -ip 416
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 416 -ip 416
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 416 -ip 416
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 416 -ip 416
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 416 -ip 416
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 416 -ip 416
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 416 -ip 416
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 416 -ip 416
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 416 -ip 416
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2196 -ip 2196
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2196 -ip 2196
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2196 -ip 2196
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2196 -ip 2196
1⤵
PID:132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2196 -ip 2196
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2196 -ip 2196
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2196 -ip 2196
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2196 -ip 2196
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2196 -ip 2196
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2196 -ip 2196
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2196 -ip 2196
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2196 -ip 2196
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2196 -ip 2196
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2196 -ip 2196
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2196 -ip 2196
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2196 -ip 2196
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2196 -ip 2196
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 472
  2⤵
  - Program crash
  PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4488 -ip 4488
1⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 472
  2⤵
  - Program crash
  PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4628 -ip 4628
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2196 -ip 2196
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\235821424191

Filesize
79KB

MD5
7f1505f466746b0ab3ea59955edb64b4

SHA1
17cef1d7f477289ee5b52900e0855d8291d091ec

SHA256
84d552d95acaa2b02d747193a17c6fc3fab062cced2f65f7fe9e796cb868ac07

SHA512
2762b29940452c3e1a9a8a513ada47e00f57e537643c90146010a67e63b63b9f8f972e888a0abdad5c70be556032c4a44c8326af10e32f0635a151ee9f615cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Filesize
470KB

MD5
4ace07145854a92831c064a173100383

SHA1
dea1676e2b6d7033686333948ff6f810d12e3793

SHA256
00ad5304c186001d365d8fa95bb11d0e564fb2c3f9cbf83de1ba2e1ccf4d9654

SHA512
2bfa8b49b4113f1b22017a9a56b2fe22875dabb384e2b49e4b388f051630a47b4cb6c895e1ee75e836ffb9eecebb2cdb31e32f298bfed905a4a9ef92aa46a2f4

Download Submit
memory/416-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/416-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/416-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/416-19-0x0000000002200000-0x000000000226F000-memory.dmp

Filesize
444KB

Download
memory/416-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/416-2-0x0000000002200000-0x000000000226F000-memory.dmp

Filesize
444KB

Download
memory/2196-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2196-38-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2196-39-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4488-46-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4488-47-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4488-48-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4628-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download