amadey | 2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850

Analysis

max time kernel
146s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
16-06-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe
Size

465KB
MD5

422e0b8f29c28f52836d6c6d73c97066
SHA1

3c5a4300122ebb40e3f9de2a393dbdbb3238956b
SHA256

2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850
SHA512

7083ecdb9537e1c5d8838b9047bebdbc69390329583f99492db949089a320114fc25b48ee77e474ecf7fbbd4613940949c0092d14fd829368a07c7a968700aa2
SSDEEP

6144:hWw6nJViV/qYkHOXPbTSXuSNGevcsScJYL3FAavvK41T3Ge/WIOubT2:YfJViV+APK0evlScJYL3FAavvlN1W/8

Score

10^/10

amadey 9a3efc trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

http://check-ftp.ru

Attributes

install_dir
b9695770f1
install_file
Dctooux.exe
strings_key
1d3a0f2941c4060dba7f23a378474944
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
1708	Dctooux.exe
2360	Dctooux.exe
5008	Dctooux.exe
2936	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 30 IoCs

pid	pid_target	Process	procid_target
1424	596	WerFault.exe	79
2744	596	WerFault.exe	79
2816	596	WerFault.exe	79
4504	596	WerFault.exe	79
2380	596	WerFault.exe	79
2192	596	WerFault.exe	79
3844	596	WerFault.exe	79
4240	596	WerFault.exe	79
4112	596	WerFault.exe	79
740	596	WerFault.exe	79
484	1708	WerFault.exe	99
1392	1708	WerFault.exe	99
1004	1708	WerFault.exe	99
940	1708	WerFault.exe	99
1444	1708	WerFault.exe	99
2384	1708	WerFault.exe	99
3940	1708	WerFault.exe	99
1304	1708	WerFault.exe	99
5044	1708	WerFault.exe	99
72	1708	WerFault.exe	99
4836	1708	WerFault.exe	99
2248	1708	WerFault.exe	99
1780	1708	WerFault.exe	99
964	1708	WerFault.exe	99
1536	1708	WerFault.exe	99
1588	1708	WerFault.exe	99
2100	2360	WerFault.exe	134
2756	5008	WerFault.exe	137
1856	1708	WerFault.exe	99
3928	2936	WerFault.exe	143

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
596	2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 1708	596	2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe	99
PID 596 wrote to memory of 1708	596	2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe	99
PID 596 wrote to memory of 1708	596	2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe	99

C:\Users\Admin\AppData\Local\Temp\2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe
"C:\Users\Admin\AppData\Local\Temp\2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 776
  2⤵
  - Program crash
  PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 820
  2⤵
  - Program crash
  PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 836
  2⤵
  - Program crash
  PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 948
  2⤵
  - Program crash
  PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 928
  2⤵
  - Program crash
  PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 940
  2⤵
  - Program crash
  PID:2192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 1020
  2⤵
  - Program crash
  PID:3844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 1060
  2⤵
  - Program crash
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 1132
  2⤵
  - Program crash
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 584
    3⤵
    - Program crash
    PID:484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 604
    3⤵
    - Program crash
    PID:1392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 620
    3⤵
    - Program crash
    PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 712
    3⤵
    - Program crash
    PID:940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 740
    3⤵
    - Program crash
    PID:1444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 896
    3⤵
    - Program crash
    PID:2384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 724
    3⤵
    - Program crash
    PID:3940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 948
    3⤵
    - Program crash
    PID:1304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 988
    3⤵
    - Program crash
    PID:5044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 748
    3⤵
    - Program crash
    PID:72
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1068
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1228
    3⤵
    - Program crash
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1448
    3⤵
    - Program crash
    PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1468
    3⤵
    - Program crash
    PID:964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1444
    3⤵
    - Program crash
    PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1524
    3⤵
    - Program crash
    PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 900
    3⤵
    - Program crash
    PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 1204
  2⤵
  - Program crash
  PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 596 -ip 596
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 596 -ip 596
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 596 -ip 596
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 596 -ip 596
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 596 -ip 596
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 596 -ip 596
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 596 -ip 596
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 596 -ip 596
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 596 -ip 596
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 596 -ip 596
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1708 -ip 1708
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1708 -ip 1708
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1708 -ip 1708
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1708 -ip 1708
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1708 -ip 1708
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1708 -ip 1708
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1708 -ip 1708
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1708 -ip 1708
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1708 -ip 1708
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1708 -ip 1708
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1708 -ip 1708
1⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 488
  2⤵
  - Program crash
  PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2360 -ip 2360
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 488
  2⤵
  - Program crash
  PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5008 -ip 5008
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1708 -ip 1708
1⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 488
  2⤵
  - Program crash
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2936 -ip 2936
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\524922173293

Filesize
82KB

MD5
cc4517443ea3c006ee921191000c323a

SHA1
274b71f8bd7d3249ff8b002139797e17bacc0cfb

SHA256
4a4700a42487c75924911c2e5f5b595e70bec0a81f71ce47f2a9c993dc053e7c

SHA512
02955170bda14c7ed2577f6fd48f5a8faf11d3d98db1db11fb78ef7883868527182a3cc32fc4ec1c1697be0235959e39fc69b833fc43e2bbe630555b5ebd86d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Filesize
465KB

MD5
422e0b8f29c28f52836d6c6d73c97066

SHA1
3c5a4300122ebb40e3f9de2a393dbdbb3238956b

SHA256
2a3ba2217f8003eb20838f59e5312aea6cb3d520b65e29e36b27f6a19b438850

SHA512
7083ecdb9537e1c5d8838b9047bebdbc69390329583f99492db949089a320114fc25b48ee77e474ecf7fbbd4613940949c0092d14fd829368a07c7a968700aa2

Download Submit
memory/596-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/596-1-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/596-2-0x00000000007F0000-0x000000000085B000-memory.dmp

Filesize
428KB

Download
memory/596-19-0x00000000007F0000-0x000000000085B000-memory.dmp

Filesize
428KB

Download
memory/596-18-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/596-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1708-31-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1708-22-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1708-44-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2360-41-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2360-42-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2360-43-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2936-61-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5008-52-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download