amadey | 29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47

General

Target

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
Size

493KB
MD5

a5fa094e095dfb920a4220705a532a2d
SHA1

8941012262f65c77c0b02dd14f8e5e815d5501a2
SHA256

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47
SHA512

20ce7a15bc21b1344692d997a2bb66ca23acefa8cba33c92ef18e62a619776c3a8ca03e94e05ee79cb20b5420c2ee1376eccf4856f4055853856ccd13bd5f336
SSDEEP

6144:YKFLGh6SZ6dHocboIPT8mT7yMhNnyvTBe9Gmki8xN/ew7I84Qs+Pg2X:B6kSZ627coJMvnytvVixEIb

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

4004 Dctooux.exe
756 Dctooux.exe
1764 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4004	Dctooux.exe
756	Dctooux.exe
1764	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2624	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
2648	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4456	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4940	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
3984	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
5052	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4820	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
844	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
3976	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
2584	4972	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4968	4004	WerFault.exe	Dctooux.exe
4868	4004	WerFault.exe	Dctooux.exe
1868	4004	WerFault.exe	Dctooux.exe
1380	4004	WerFault.exe	Dctooux.exe
2328	4004	WerFault.exe	Dctooux.exe
116	4004	WerFault.exe	Dctooux.exe
1200	4004	WerFault.exe	Dctooux.exe
2448	4004	WerFault.exe	Dctooux.exe
2376	4004	WerFault.exe	Dctooux.exe
4184	4004	WerFault.exe	Dctooux.exe
2660	4004	WerFault.exe	Dctooux.exe
4964	4004	WerFault.exe	Dctooux.exe
4768	4004	WerFault.exe	Dctooux.exe
3952	4004	WerFault.exe	Dctooux.exe
3012	4004	WerFault.exe	Dctooux.exe
4780	4004	WerFault.exe	Dctooux.exe
844	4004	WerFault.exe	Dctooux.exe
688	756	WerFault.exe	Dctooux.exe
4432	1764	WerFault.exe	Dctooux.exe
2832	4004	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

pid process

4972 29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

pid	process
4972	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

description	pid	process	target process
PID 4972 wrote to memory of 4004	4972	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe	Dctooux.exe
PID 4972 wrote to memory of 4004	4972	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe	Dctooux.exe
PID 4972 wrote to memory of 4004	4972	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
"C:\Users\Admin\AppData\Local\Temp\29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 744
2⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 800
2⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 856
2⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 868
2⤵
- Program crash
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 924
2⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 960
2⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1136
2⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1168
2⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1236
2⤵
- Program crash
PID:3976

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 560
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 568
3⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 600
3⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 660
3⤵
- Program crash
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 668
3⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 744
3⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 888
3⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 768
3⤵
- Program crash
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 932
3⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 952
3⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 928
3⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1020
3⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1164
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1408
3⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1484
3⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1508
3⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1504
3⤵
- Program crash
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 892
3⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 864
2⤵
- Program crash
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4972 -ip 4972
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4972 -ip 4972
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4972 -ip 4972
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4972 -ip 4972
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4972 -ip 4972
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4972 -ip 4972
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4972 -ip 4972
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4972 -ip 4972
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4972 -ip 4972
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4972 -ip 4972
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4004 -ip 4004
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4004 -ip 4004
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4004 -ip 4004
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4004 -ip 4004
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4004 -ip 4004
1⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4004 -ip 4004
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4004 -ip 4004
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4004 -ip 4004
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4004 -ip 4004
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4004 -ip 4004
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4004 -ip 4004
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4004 -ip 4004
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4004 -ip 4004
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4004 -ip 4004
1⤵
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4004 -ip 4004
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4004 -ip 4004
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4004 -ip 4004
1⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 448
2⤵
- Program crash
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 756 -ip 756
1⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 444
2⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1764 -ip 1764
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4004 -ip 4004
1⤵
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080292272204
Filesize
77KB

MD5
f2366c62604093d32a798a8692e62eec

SHA1
1a6077d0a089c32fe2560b7a94c6a9f03bc11a88

SHA256
d1fcf3b579a5505b496f684bc890850675f128fef54c71dbd08ac022d01cc07b

SHA512
8cbcbaea5c173b837eb3e5e194c17e456754a80eddd28b202b9037ebb7f5d73bccb5116145b783eec8137d8bd790deaa14c496a216a2af80795d05f9e34c8856

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
493KB

MD5
a5fa094e095dfb920a4220705a532a2d

SHA1
8941012262f65c77c0b02dd14f8e5e815d5501a2

SHA256
29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47

SHA512
20ce7a15bc21b1344692d997a2bb66ca23acefa8cba33c92ef18e62a619776c3a8ca03e94e05ee79cb20b5420c2ee1376eccf4856f4055853856ccd13bd5f336

Download Submit
memory/756-43-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/1764-52-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4004-25-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4004-17-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4004-16-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4004-37-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4972-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4972-19-0x00000000043A0000-0x000000000440F000-memory.dmp

Filesize
444KB

Download
memory/4972-18-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4972-1-0x00000000027F0000-0x00000000028F0000-memory.dmp

Filesize
1024KB

Download
memory/4972-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4972-2-0x00000000043A0000-0x000000000440F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads