amadey | dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10

General

Target

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
Size

406KB
MD5

264bff6ce8a5df06c5a6fbe486a8ad1d
SHA1

eabf6024e86ffe5ca8433b24a1fdd464dcf37821
SHA256

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10
SHA512

0e9a4ebfb6b236cafa0b01aa91f5067f2f52c0f64bc94d8d386955ea4209f6ce711f1a6410b11d9766ffe311a742e2ba02f119fbf65610f6c8dc67b6abd296ea
SSDEEP

6144:ErX9Fb/Z/e+VWVzV/aogart1sxLI21r44Isc04auxxO7lli1OvKOOO/:MNuv/aolCIaZIRglKOdO0

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

4604 Dctooux.exe
760 Dctooux.exe
4408 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4604	Dctooux.exe
760	Dctooux.exe
4408	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3928	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
376	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
3712	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
1812	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
1008	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
3652	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
4500	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
1940	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
736	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
3308	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
3204	3964	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
2364	4604	WerFault.exe	Dctooux.exe
2272	4604	WerFault.exe	Dctooux.exe
4516	4604	WerFault.exe	Dctooux.exe
4408	4604	WerFault.exe	Dctooux.exe
5000	4604	WerFault.exe	Dctooux.exe
2840	4604	WerFault.exe	Dctooux.exe
2648	4604	WerFault.exe	Dctooux.exe
4820	4604	WerFault.exe	Dctooux.exe
2888	4604	WerFault.exe	Dctooux.exe
4876	4604	WerFault.exe	Dctooux.exe
4304	4604	WerFault.exe	Dctooux.exe
2824	4604	WerFault.exe	Dctooux.exe
3700	4604	WerFault.exe	Dctooux.exe
1300	4604	WerFault.exe	Dctooux.exe
1796	4604	WerFault.exe	Dctooux.exe
4184	4604	WerFault.exe	Dctooux.exe
4372	4604	WerFault.exe	Dctooux.exe
2204	760	WerFault.exe	Dctooux.exe
2524	4408	WerFault.exe	Dctooux.exe
4560	4604	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

pid process

3964 dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

pid	process
3964	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

description	pid	process	target process
PID 3964 wrote to memory of 4604	3964	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe	Dctooux.exe
PID 3964 wrote to memory of 4604	3964	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe	Dctooux.exe
PID 3964 wrote to memory of 4604	3964	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
"C:\Users\Admin\AppData\Local\Temp\dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 756
2⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 740
2⤵
- Program crash
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 884
2⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 932
2⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 944
2⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 912
2⤵
- Program crash
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1108
2⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1228
2⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1288
2⤵
- Program crash
PID:736

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 560
3⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 568
3⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 596
3⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 612
3⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 620
3⤵
- Program crash
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 724
3⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 888
3⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 920
3⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 888
3⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 936
3⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 944
3⤵
- Program crash
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1020
3⤵
- Program crash
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1028
3⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1408
3⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1432
3⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1468
3⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1488
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 716
3⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1028
2⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1344
2⤵
- Program crash
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 3964
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3964 -ip 3964
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3964 -ip 3964
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3964 -ip 3964
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3964 -ip 3964
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3964 -ip 3964
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3964 -ip 3964
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3964 -ip 3964
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3964 -ip 3964
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3964 -ip 3964
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3964 -ip 3964
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4604 -ip 4604
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4604 -ip 4604
1⤵
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4604 -ip 4604
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4604 -ip 4604
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4604 -ip 4604
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4604 -ip 4604
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4604 -ip 4604
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4604 -ip 4604
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4604 -ip 4604
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4604 -ip 4604
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4604 -ip 4604
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4604 -ip 4604
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4604 -ip 4604
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4604 -ip 4604
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4604 -ip 4604
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4604 -ip 4604
1⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 448
2⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 760 -ip 760
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 448
2⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4408 -ip 4408
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4604 -ip 4604
1⤵
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\337824034273
Filesize
80KB

MD5
0d288c32e54e064ea71784221e0ae518

SHA1
b9cbb43a1febacaac8f58919bbac906bc6f668f2

SHA256
ff02e08750d50d30edc3ce3aaa0d1fa836993a1804226c19b524e3f51eb3856d

SHA512
5d7990c2cbc80fb1e48462048ffd262e3846aacc5225317e09f7102c1729114f2cf66fff0831b2eb97fefed6e3c19c865898e130502237c34a020ea870b43d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
406KB

MD5
264bff6ce8a5df06c5a6fbe486a8ad1d

SHA1
eabf6024e86ffe5ca8433b24a1fdd464dcf37821

SHA256
dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10

SHA512
0e9a4ebfb6b236cafa0b01aa91f5067f2f52c0f64bc94d8d386955ea4209f6ce711f1a6410b11d9766ffe311a742e2ba02f119fbf65610f6c8dc67b6abd296ea

Download Submit
memory/760-43-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/760-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/760-41-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/760-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3964-16-0x0000000002180000-0x00000000021EF000-memory.dmp

Filesize
444KB

Download
memory/3964-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3964-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/3964-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3964-2-0x0000000002180000-0x00000000021EF000-memory.dmp

Filesize
444KB

Download
memory/4408-52-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4604-24-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4604-25-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4604-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4604-37-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads