amadey | 3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
19/06/2024, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe
Size

414KB
MD5

4c3158a6f1e1b42a943637dd968da75b
SHA1

dec429d3e401bf9c53630ff6b0d1fa8bb3e4bb83
SHA256

3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008
SHA512

a42784e3cef0001b85797157db738581c259f5a6b6505205354f09a7ad71e4c3c923b2761ce483ab4d1edeef1810d3d7b3c42ef847d92b60a8c341694a53d4b3
SSDEEP

6144:+2SbPYgnAMh0SizACrYVWgxRbKMxjx2BW2RI8e5WAw7+cH:+XPYg/8AC8RxRbKMxjsB7RI8e5WjFH

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
1032	Dctooux.exe
4312	Dctooux.exe
1696	Dctooux.exe
4928	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
3556	1244	WerFault.exe	79
4728	1244	WerFault.exe	79
4312	1244	WerFault.exe	79
3932	1244	WerFault.exe	79
3604	1244	WerFault.exe	79
2676	1244	WerFault.exe	79
4804	1244	WerFault.exe	79
4920	1244	WerFault.exe	79
1468	1244	WerFault.exe	79
3836	1244	WerFault.exe	79
3092	1244	WerFault.exe	79
1080	1032	WerFault.exe	101
2772	1032	WerFault.exe	101
4800	1032	WerFault.exe	101
2424	1032	WerFault.exe	101
4604	1032	WerFault.exe	101
3712	1032	WerFault.exe	101
5100	1032	WerFault.exe	101
3432	1032	WerFault.exe	101
2876	1032	WerFault.exe	101
1892	1032	WerFault.exe	101
1916	1032	WerFault.exe	101
4616	1032	WerFault.exe	101
3144	1032	WerFault.exe	101
232	1032	WerFault.exe	101
788	1032	WerFault.exe	101
648	1032	WerFault.exe	101
1116	4312	WerFault.exe	138
4648	4312	WerFault.exe	138
244	1696	WerFault.exe	143
2684	1696	WerFault.exe	143
2312	1032	WerFault.exe	101

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1032	1244	3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe	101
PID 1244 wrote to memory of 1032	1244	3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe	101
PID 1244 wrote to memory of 1032	1244	3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe	101

C:\Users\Admin\AppData\Local\Temp\3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe
"C:\Users\Admin\AppData\Local\Temp\3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 776
  2⤵
  - Program crash
  PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 824
  2⤵
  - Program crash
  PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 876
  2⤵
  - Program crash
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 952
  2⤵
  - Program crash
  PID:3932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 984
  2⤵
  - Program crash
  PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1016
  2⤵
  - Program crash
  PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 932
  2⤵
  - Program crash
  PID:4804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1064
  2⤵
  - Program crash
  PID:4920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 932
  2⤵
  - Program crash
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 584
    3⤵
    - Program crash
    PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 604
    3⤵
    - Program crash
    PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 620
    3⤵
    - Program crash
    PID:4800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 616
    3⤵
    - Program crash
    PID:2424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 756
    3⤵
    - Program crash
    PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 896
    3⤵
    - Program crash
    PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 780
    3⤵
    - Program crash
    PID:5100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 928
    3⤵
    - Program crash
    PID:3432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 936
    3⤵
    - Program crash
    PID:2876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 972
    3⤵
    - Program crash
    PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1048
    3⤵
    - Program crash
    PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1056
    3⤵
    - Program crash
    PID:4616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1304
    3⤵
    - Program crash
    PID:3144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1444
    3⤵
    - Program crash
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1304
    3⤵
    - Program crash
    PID:788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1516
    3⤵
    - Program crash
    PID:648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 900
    3⤵
    - Program crash
    PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 788
  2⤵
  - Program crash
  PID:3836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 944
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 1244 -ip 1244
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1244 -ip 1244
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1244 -ip 1244
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1244 -ip 1244
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1244 -ip 1244
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1244 -ip 1244
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1244 -ip 1244
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1244 -ip 1244
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1244 -ip 1244
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1244 -ip 1244
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1244 -ip 1244
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1032 -ip 1032
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1032 -ip 1032
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1032 -ip 1032
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1032 -ip 1032
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1032 -ip 1032
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1032 -ip 1032
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1032 -ip 1032
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1032 -ip 1032
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1032 -ip 1032
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1032 -ip 1032
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1032 -ip 1032
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1032 -ip 1032
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1032 -ip 1032
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1032 -ip 1032
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1032 -ip 1032
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1032 -ip 1032
1⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 472
  2⤵
  - Program crash
  PID:1116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 512
  2⤵
  - Program crash
  PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4312 -ip 4312
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4312 -ip 4312
1⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 480
  2⤵
  - Program crash
  PID:244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 468
  2⤵
  - Program crash
  PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1696 -ip 1696
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1696 -ip 1696
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1032 -ip 1032
1⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\394516847340

Filesize
84KB

MD5
2c4f1f08d21e7a2741353d3ff74a5aab

SHA1
7f88002af2810e7ca87c75b94d0ab68f35749d31

SHA256
cdeb9206b4d9335661c70a96f1e47b268c77352c53de8ad3767985f657bfb1d9

SHA512
398f5e988d5d34d35519995db5a2fbf933bcb006629d41808e227751070251bbd5cce06bcd9bd603fb30f9e19f6bdd5050d38708e8b4b80963bc288077a3edd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
414KB

MD5
4c3158a6f1e1b42a943637dd968da75b

SHA1
dec429d3e401bf9c53630ff6b0d1fa8bb3e4bb83

SHA256
3bef2f84a63d0bd042489e239ff3ad70617d15b45b71e8d5bb2cb4f460a8c008

SHA512
a42784e3cef0001b85797157db738581c259f5a6b6505205354f09a7ad71e4c3c923b2761ce483ab4d1edeef1810d3d7b3c42ef847d92b60a8c341694a53d4b3

Download Submit
memory/1032-20-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1032-39-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1032-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1244-23-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1244-21-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1244-22-0x0000000002180000-0x00000000021EB000-memory.dmp

Filesize
428KB

Download
memory/1244-1-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1244-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1244-2-0x0000000002180000-0x00000000021EB000-memory.dmp

Filesize
428KB

Download
memory/1696-55-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-43-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-44-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-45-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4312-46-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download