amadey | 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61

General

Target

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
Size

491KB
MD5

052e6b664d68958cff0d19ef11286662
SHA1

abe767326cf2188599f6b59863e74ade34e48d73
SHA256

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SHA512

93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b
SSDEEP

6144:HN+Le4r9Wm2moCgSBpFLoS7MWh1z4160yiFwb6WZY0M4mEZGDAeOGUI:Eq4rYRfaxYOgq6WZY/

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

3544 Dctooux.exe
5060 Dctooux.exe
4840 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3544	Dctooux.exe
5060	Dctooux.exe
4840	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4496	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
4980	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
544	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
3808	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
4068	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
2440	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
3068	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
220	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
2844	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
4856	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
4544	3012	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
3420	3544	WerFault.exe	Dctooux.exe
4448	3544	WerFault.exe	Dctooux.exe
2392	3544	WerFault.exe	Dctooux.exe
952	3544	WerFault.exe	Dctooux.exe
3384	3544	WerFault.exe	Dctooux.exe
4920	3544	WerFault.exe	Dctooux.exe
4808	3544	WerFault.exe	Dctooux.exe
1048	3544	WerFault.exe	Dctooux.exe
448	3544	WerFault.exe	Dctooux.exe
2412	3544	WerFault.exe	Dctooux.exe
5116	3544	WerFault.exe	Dctooux.exe
456	3544	WerFault.exe	Dctooux.exe
3240	3544	WerFault.exe	Dctooux.exe
3136	3544	WerFault.exe	Dctooux.exe
2204	3544	WerFault.exe	Dctooux.exe
3872	3544	WerFault.exe	Dctooux.exe
2448	3544	WerFault.exe	Dctooux.exe
1888	5060	WerFault.exe	Dctooux.exe
3908	4840	WerFault.exe	Dctooux.exe
2228	3544	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

pid process

3012 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

pid	process
3012	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

description	pid	process	target process
PID 3012 wrote to memory of 3544	3012	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe	Dctooux.exe
PID 3012 wrote to memory of 3544	3012	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe	Dctooux.exe
PID 3012 wrote to memory of 3544	3012	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 756
2⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 804
2⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 820
2⤵
- Program crash
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 828
2⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 932
2⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 960
2⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1132
2⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1208
2⤵
- Program crash
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1264
2⤵
- Program crash
PID:2844

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 560
3⤵
- Program crash
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 536
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 604
3⤵
- Program crash
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 652
3⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 660
3⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 796
3⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 884
3⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 912
3⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 912
3⤵
- Program crash
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 972
3⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 988
3⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 964
3⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1164
3⤵
- Program crash
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1408
3⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1356
3⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1440
3⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 1432
3⤵
- Program crash
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 888
3⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 1060
2⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 808
2⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3012 -ip 3012
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3012 -ip 3012
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3012 -ip 3012
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3012 -ip 3012
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3012 -ip 3012
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3012 -ip 3012
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3012 -ip 3012
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3012 -ip 3012
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3012 -ip 3012
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3012 -ip 3012
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3012 -ip 3012
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3544 -ip 3544
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3544 -ip 3544
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3544 -ip 3544
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3544 -ip 3544
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3544 -ip 3544
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3544 -ip 3544
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3544 -ip 3544
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3544 -ip 3544
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3544 -ip 3544
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3544 -ip 3544
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3544 -ip 3544
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3544 -ip 3544
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3544 -ip 3544
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3544 -ip 3544
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3544 -ip 3544
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3544 -ip 3544
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3544 -ip 3544
1⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 448
2⤵
- Program crash
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 5060 -ip 5060
1⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 440
2⤵
- Program crash
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4840 -ip 4840
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3544 -ip 3544
1⤵
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\447855248390
Filesize
82KB

MD5
b668373ed7a1b5b487c8349668d4eaf8

SHA1
d29078c19646886504a8adf82207eded933b906c

SHA256
7a67c9b176a6b77b63f5a77955cb3d263d4f77917baac94407712dc759a91bfb

SHA512
6a6291f4ad6df45b64879db13df6eceec69e431069a9bb81a66766c98bb694798c2d5fa23483cd3ed8a7763c1e10d00722325e3daa580b0f52ffd7940244bfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
491KB

MD5
052e6b664d68958cff0d19ef11286662

SHA1
abe767326cf2188599f6b59863e74ade34e48d73

SHA256
314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61

SHA512
93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b

Download Submit
memory/3012-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3012-2-0x0000000002910000-0x000000000297F000-memory.dmp

Filesize
444KB

Download
memory/3012-19-0x0000000002910000-0x000000000297F000-memory.dmp

Filesize
444KB

Download
memory/3012-1-0x00000000029F0000-0x0000000002AF0000-memory.dmp

Filesize
1024KB

Download
memory/3012-17-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/3012-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3544-16-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/3544-35-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/3544-36-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/4840-50-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/5060-41-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads