amadey | 29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47

General

Target

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
Size

493KB
MD5

a5fa094e095dfb920a4220705a532a2d
SHA1

8941012262f65c77c0b02dd14f8e5e815d5501a2
SHA256

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47
SHA512

20ce7a15bc21b1344692d997a2bb66ca23acefa8cba33c92ef18e62a619776c3a8ca03e94e05ee79cb20b5420c2ee1376eccf4856f4055853856ccd13bd5f336
SSDEEP

6144:YKFLGh6SZ6dHocboIPT8mT7yMhNnyvTBe9Gmki8xN/ew7I84Qs+Pg2X:B6kSZ627coJMvnytvVixEIb

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

912 Dctooux.exe
1224 Dctooux.exe
4112 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
912	Dctooux.exe
1224	Dctooux.exe
4112	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4576	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
3952	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
1356	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4888	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
884	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
1520	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
2656	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
3932	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
3248	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4112	4960	WerFault.exe	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
4016	912	WerFault.exe	Dctooux.exe
3740	912	WerFault.exe	Dctooux.exe
2004	912	WerFault.exe	Dctooux.exe
1428	912	WerFault.exe	Dctooux.exe
2000	912	WerFault.exe	Dctooux.exe
2132	912	WerFault.exe	Dctooux.exe
3120	912	WerFault.exe	Dctooux.exe
2552	912	WerFault.exe	Dctooux.exe
4880	912	WerFault.exe	Dctooux.exe
1512	912	WerFault.exe	Dctooux.exe
4796	912	WerFault.exe	Dctooux.exe
3576	912	WerFault.exe	Dctooux.exe
852	912	WerFault.exe	Dctooux.exe
3196	912	WerFault.exe	Dctooux.exe
4980	912	WerFault.exe	Dctooux.exe
3372	912	WerFault.exe	Dctooux.exe
1960	912	WerFault.exe	Dctooux.exe
3216	912	WerFault.exe	Dctooux.exe
2468	1224	WerFault.exe	Dctooux.exe
4644	4112	WerFault.exe	Dctooux.exe
2224	912	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

pid process

4960 29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

pid	process
4960	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe

description	pid	process	target process
PID 4960 wrote to memory of 912	4960	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe	Dctooux.exe
PID 4960 wrote to memory of 912	4960	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe	Dctooux.exe
PID 4960 wrote to memory of 912	4960	29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe
"C:\Users\Admin\AppData\Local\Temp\29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 784
2⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 816
2⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 836
2⤵
- Program crash
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 924
2⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 940
2⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 960
2⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1016
2⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1016
2⤵
- Program crash
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1016
2⤵
- Program crash
PID:3248

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 592
3⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 608
3⤵
- Program crash
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 616
3⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 688
3⤵
- Program crash
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 720
3⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 760
3⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 784
3⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 912
3⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 956
3⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 756
3⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 972
3⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1068
3⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1076
3⤵
- Program crash
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1216
3⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1336
3⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1464
3⤵
- Program crash
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1536
3⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1576
3⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 860
3⤵
- Program crash
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 740
2⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4960 -ip 4960
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4960 -ip 4960
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4960 -ip 4960
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4960 -ip 4960
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4960 -ip 4960
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4960 -ip 4960
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4960 -ip 4960
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4960 -ip 4960
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 912 -ip 912
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 912 -ip 912
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 912 -ip 912
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 912 -ip 912
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 912 -ip 912
1⤵
PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 912 -ip 912
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 912 -ip 912
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 912 -ip 912
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 912 -ip 912
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 912 -ip 912
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 912 -ip 912
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 912 -ip 912
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 912 -ip 912
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 912 -ip 912
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 912 -ip 912
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 912 -ip 912
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 912 -ip 912
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 912 -ip 912
1⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 468
2⤵
- Program crash
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1224 -ip 1224
1⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 480
2⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4112 -ip 4112
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 912 -ip 912
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\394516847340
Filesize
75KB

MD5
67d0b1d803a42e4d439607d3dd360ccb

SHA1
734476c2d0e667aaa25cc1a19681f6e126755489

SHA256
5099441caf703e97551c48918cac45e410ce7e06ed4b650568a38eada701ffd5

SHA512
5575b6a490b9a552a1cc9d612014320b1ab698dc86fdf4a7600a23889147b73c8b7fc25e26e5bb4737ebb2b162fb86ba31ef8e5d59cb3dba0cb5aad7514e8343

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
493KB

MD5
a5fa094e095dfb920a4220705a532a2d

SHA1
8941012262f65c77c0b02dd14f8e5e815d5501a2

SHA256
29973d8dbf57f0140fa4790ebf3ef07f8abd3b87c487817475253f5349d4ee47

SHA512
20ce7a15bc21b1344692d997a2bb66ca23acefa8cba33c92ef18e62a619776c3a8ca03e94e05ee79cb20b5420c2ee1376eccf4856f4055853856ccd13bd5f336

Download Submit
memory/912-16-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/912-34-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/912-35-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/1224-41-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4112-50-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download
memory/4960-1-0x00000000028C0000-0x00000000029C0000-memory.dmp

Filesize
1024KB

Download
memory/4960-2-0x0000000004470000-0x00000000044DF000-memory.dmp

Filesize
444KB

Download
memory/4960-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4960-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4960-17-0x0000000000400000-0x0000000002768000-memory.dmp

Filesize
35.4MB

Download

Analysis

Sharing