amadey | dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10

General

Target

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
Size

406KB
MD5

264bff6ce8a5df06c5a6fbe486a8ad1d
SHA1

eabf6024e86ffe5ca8433b24a1fdd464dcf37821
SHA256

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10
SHA512

0e9a4ebfb6b236cafa0b01aa91f5067f2f52c0f64bc94d8d386955ea4209f6ce711f1a6410b11d9766ffe311a742e2ba02f119fbf65610f6c8dc67b6abd296ea
SSDEEP

6144:ErX9Fb/Z/e+VWVzV/aogart1sxLI21r44Isc04auxxO7lli1OvKOOO/:MNuv/aolCIaZIRglKOdO0

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

4872 Dctooux.exe
3580 Dctooux.exe
3540 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4872	Dctooux.exe
3580	Dctooux.exe
3540	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
360	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
2312	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
1844	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
4928	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
3348	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
1260	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
3332	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
4584	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
4516	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
1968	3808	WerFault.exe	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
2296	4872	WerFault.exe	Dctooux.exe
1964	4872	WerFault.exe	Dctooux.exe
1496	4872	WerFault.exe	Dctooux.exe
3172	4872	WerFault.exe	Dctooux.exe
1864	4872	WerFault.exe	Dctooux.exe
4968	4872	WerFault.exe	Dctooux.exe
1984	4872	WerFault.exe	Dctooux.exe
484	4872	WerFault.exe	Dctooux.exe
4936	4872	WerFault.exe	Dctooux.exe
3824	4872	WerFault.exe	Dctooux.exe
1988	4872	WerFault.exe	Dctooux.exe
4608	4872	WerFault.exe	Dctooux.exe
2728	4872	WerFault.exe	Dctooux.exe
1668	4872	WerFault.exe	Dctooux.exe
1312	4872	WerFault.exe	Dctooux.exe
5092	4872	WerFault.exe	Dctooux.exe
3528	4872	WerFault.exe	Dctooux.exe
2420	3580	WerFault.exe	Dctooux.exe
2972	3540	WerFault.exe	Dctooux.exe
4980	4872	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

pid process

3808 dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

pid	process
3808	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe

description	pid	process	target process
PID 3808 wrote to memory of 4872	3808	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe	Dctooux.exe
PID 3808 wrote to memory of 4872	3808	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe	Dctooux.exe
PID 3808 wrote to memory of 4872	3808	dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe
"C:\Users\Admin\AppData\Local\Temp\dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 776
2⤵
- Program crash
PID:360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 788
2⤵
- Program crash
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 876
2⤵
- Program crash
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 948
2⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 876
2⤵
- Program crash
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 948
2⤵
- Program crash
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1012
2⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1012
2⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1132
2⤵
- Program crash
PID:4516

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 588
3⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 596
3⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 616
3⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 588
3⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 704
3⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 732
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 900
3⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 932
3⤵
- Program crash
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 952
3⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 628
3⤵
- Program crash
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 736
3⤵
- Program crash
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1068
3⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1072
3⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1452
3⤵
- Program crash
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1424
3⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1440
3⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1528
3⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1564
3⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1180
2⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3808 -ip 3808
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3808 -ip 3808
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3808 -ip 3808
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3808 -ip 3808
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3808 -ip 3808
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3808 -ip 3808
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3808 -ip 3808
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3808 -ip 3808
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3808 -ip 3808
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3808 -ip 3808
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4872 -ip 4872
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4872 -ip 4872
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4872 -ip 4872
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4872 -ip 4872
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4872 -ip 4872
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4872 -ip 4872
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4872 -ip 4872
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4872 -ip 4872
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4872 -ip 4872
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4872 -ip 4872
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4872 -ip 4872
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4872 -ip 4872
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4872 -ip 4872
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4872 -ip 4872
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4872 -ip 4872
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4872 -ip 4872
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4872 -ip 4872
1⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 472
2⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3580 -ip 3580
1⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 488
2⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3540 -ip 3540
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4872 -ip 4872
1⤵
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\474490143322
Filesize
78KB

MD5
70689d5bce5d5bccfce2e9d2efddf3a5

SHA1
4e0abc9b3d0f28263ec78c06c8604290a762a276

SHA256
fe07e22ef97b78ee0f94edce2b21c9e0629500b960ffd2b08b7850b28579fe74

SHA512
0f3a6f1ffd85e0faf60d1cd394e59dd3baac77f3e6d8fe4904c84e280758346423797ae90ef0ce2893bae0bf6d047b3b84d9ea5eef7243677e41363351b40cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
406KB

MD5
264bff6ce8a5df06c5a6fbe486a8ad1d

SHA1
eabf6024e86ffe5ca8433b24a1fdd464dcf37821

SHA256
dcc79633a8bcb5bfdf3b24c17791ad83091d3696b05e44eccf124a6d87dbfd10

SHA512
0e9a4ebfb6b236cafa0b01aa91f5067f2f52c0f64bc94d8d386955ea4209f6ce711f1a6410b11d9766ffe311a742e2ba02f119fbf65610f6c8dc67b6abd296ea

Download Submit
memory/3540-52-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3580-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3580-43-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3808-1-0x0000000000500000-0x0000000000600000-memory.dmp

Filesize
1024KB

Download
memory/3808-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3808-16-0x0000000002180000-0x00000000021EF000-memory.dmp

Filesize
444KB

Download
memory/3808-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3808-2-0x0000000002180000-0x00000000021EF000-memory.dmp

Filesize
444KB

Download
memory/4872-25-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4872-39-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4872-30-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4872-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4872-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing