amadey | 92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0

General

Target

92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
Size

487KB
MD5

8be0b813433ecaf59aaf4d9cf11a5a57
SHA1

0579e197791727f99ea5f5df932d6f175e31fd33
SHA256

92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0
SHA512

33cb1bc0bf9d5b1038a3e55dcd3e0ae72934ab0bd47d6635ce3fdb35865c20352b542250a6f7f2d8902ab000778c66392016b0a3d1e17846b0c737ea21c6caf2
SSDEEP

6144:KzoL3R5VE6DASsbmxKTZqtJ4AP4D8i0UACsy0iNUDi+b3gycwPgAwy7Qj/rU30r5:3rbVE6D0baWqfZZ9q09DmHwPdMr0

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

3592 Dctooux.exe
900 Dctooux.exe
4076 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3592	Dctooux.exe
900	Dctooux.exe
4076	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
128	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
2348	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
4956	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
3264	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
4816	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
1992	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
1600	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
4952	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
4912	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
1832	4372	WerFault.exe	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
3588	3592	WerFault.exe	Dctooux.exe
2016	3592	WerFault.exe	Dctooux.exe
2248	3592	WerFault.exe	Dctooux.exe
744	3592	WerFault.exe	Dctooux.exe
2712	3592	WerFault.exe	Dctooux.exe
4004	3592	WerFault.exe	Dctooux.exe
792	3592	WerFault.exe	Dctooux.exe
4948	3592	WerFault.exe	Dctooux.exe
2948	3592	WerFault.exe	Dctooux.exe
4548	3592	WerFault.exe	Dctooux.exe
3012	3592	WerFault.exe	Dctooux.exe
2756	3592	WerFault.exe	Dctooux.exe
3112	3592	WerFault.exe	Dctooux.exe
2092	3592	WerFault.exe	Dctooux.exe
3972	3592	WerFault.exe	Dctooux.exe
2428	3592	WerFault.exe	Dctooux.exe
2964	3592	WerFault.exe	Dctooux.exe
3028	3592	WerFault.exe	Dctooux.exe
4772	900	WerFault.exe	Dctooux.exe
3544	4076	WerFault.exe	Dctooux.exe
4060	3592	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe

pid process

4372 92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe

pid	process
4372	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe

description	pid	process	target process
PID 4372 wrote to memory of 3592	4372	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe	Dctooux.exe
PID 4372 wrote to memory of 3592	4372	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe	Dctooux.exe
PID 4372 wrote to memory of 3592	4372	92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe
"C:\Users\Admin\AppData\Local\Temp\92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 776
2⤵
- Program crash
PID:128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 820
2⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 836
2⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 932
2⤵
- Program crash
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 936
2⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 948
2⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 836
2⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1036
2⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 1132
2⤵
- Program crash
PID:4912

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 588
3⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 628
3⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 652
3⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 684
3⤵
- Program crash
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 692
3⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 760
3⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 896
3⤵
- Program crash
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 904
3⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 904
3⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 748
3⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 976
3⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1048
3⤵
- Program crash
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1208
3⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1452
3⤵
- Program crash
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1428
3⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1404
3⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1512
3⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1568
3⤵
- Program crash
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 948
3⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 844
2⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4372 -ip 4372
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4372 -ip 4372
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4372 -ip 4372
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4372 -ip 4372
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4372 -ip 4372
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4372 -ip 4372
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4372 -ip 4372
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4372 -ip 4372
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4372 -ip 4372
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4372 -ip 4372
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3592 -ip 3592
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3592 -ip 3592
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3592 -ip 3592
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3592 -ip 3592
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3592 -ip 3592
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3592 -ip 3592
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3592 -ip 3592
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3592 -ip 3592
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3592 -ip 3592
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3592 -ip 3592
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3592 -ip 3592
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3592 -ip 3592
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3592 -ip 3592
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3592 -ip 3592
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3592 -ip 3592
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3592 -ip 3592
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3592 -ip 3592
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3592 -ip 3592
1⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 472
2⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 900 -ip 900
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 472
2⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4076 -ip 4076
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3592 -ip 3592
1⤵
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\672260578815
Filesize
82KB

MD5
96fbb61a5511619a818f6ef39c5fc1dc

SHA1
67290092331bda763e4db517397953d1acd91a31

SHA256
e0dbed62bbca51469d1df629005442d11590568ea0d88e80b8c7fcafed90209c

SHA512
bfd59caf755687a23bce89de10ebe63dcab7bad89a1404019b3f94e4c7fe8b7f7d04f1d86cb2d666bc632a67f20e443dc9211e8d36d6d21229b7c36323c4e33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
487KB

MD5
8be0b813433ecaf59aaf4d9cf11a5a57

SHA1
0579e197791727f99ea5f5df932d6f175e31fd33

SHA256
92592f0bbdcd5ae6d311a96644a2bdaa000042ec3ec800fbf56273b6855313a0

SHA512
33cb1bc0bf9d5b1038a3e55dcd3e0ae72934ab0bd47d6635ce3fdb35865c20352b542250a6f7f2d8902ab000778c66392016b0a3d1e17846b0c737ea21c6caf2

Download Submit
memory/900-44-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/3592-25-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/3592-16-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/3592-17-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/3592-26-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/3592-39-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/4076-53-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/4372-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4372-18-0x0000000000400000-0x0000000002766000-memory.dmp

Filesize
35.4MB

Download
memory/4372-19-0x0000000004480000-0x00000000044EF000-memory.dmp

Filesize
444KB

Download
memory/4372-2-0x0000000004480000-0x00000000044EF000-memory.dmp

Filesize
444KB

Download
memory/4372-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4372-1-0x0000000002AE0000-0x0000000002BE0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing