amadey | 3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1

General

Target

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
Size

407KB
MD5

98392f80bcfbb4a2d5e2966696e76f9d
SHA1

65720cf5bababcdc4a27fadfae2dc811979dae06
SHA256

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1
SHA512

29ff145b655dac61c7e3f358657f2068a9b0bf8b1658649a7dccb9ff8b8485b5a77ca41cf319a1d9c1b16c778f0807fb343747079cbb26dd35e6f5a883561ca6
SSDEEP

6144:gALTZpdoaVORPT862GHuGOnOz4XquD6YcwD/ag/:gIx88W4nXqCcwR

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

4564 Dctooux.exe
2928 Dctooux.exe
4012 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4564	Dctooux.exe
2928	Dctooux.exe
4012	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1452	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
4348	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
1436	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
4024	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
4612	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
3700	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
448	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
2744	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
3756	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
3916	4936	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
4624	4564	WerFault.exe	Dctooux.exe
3504	4564	WerFault.exe	Dctooux.exe
1764	4564	WerFault.exe	Dctooux.exe
3296	4564	WerFault.exe	Dctooux.exe
1400	4564	WerFault.exe	Dctooux.exe
1740	4564	WerFault.exe	Dctooux.exe
5024	4564	WerFault.exe	Dctooux.exe
4872	4564	WerFault.exe	Dctooux.exe
1904	4564	WerFault.exe	Dctooux.exe
4672	4564	WerFault.exe	Dctooux.exe
3184	4564	WerFault.exe	Dctooux.exe
3156	4564	WerFault.exe	Dctooux.exe
3068	4564	WerFault.exe	Dctooux.exe
4904	4564	WerFault.exe	Dctooux.exe
2696	4564	WerFault.exe	Dctooux.exe
4340	4564	WerFault.exe	Dctooux.exe
1600	4564	WerFault.exe	Dctooux.exe
4016	2928	WerFault.exe	Dctooux.exe
5092	4012	WerFault.exe	Dctooux.exe
908	4564	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

pid process

4936 3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

pid	process
4936	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

description	pid	process	target process
PID 4936 wrote to memory of 4564	4936	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe	Dctooux.exe
PID 4936 wrote to memory of 4564	4936	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe	Dctooux.exe
PID 4936 wrote to memory of 4564	4936	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
"C:\Users\Admin\AppData\Local\Temp\3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 768
2⤵
- Program crash
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 712
2⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 816
2⤵
- Program crash
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 924
2⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 920
2⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 916
2⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1136
2⤵
- Program crash
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1160
2⤵
- Program crash
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1244
2⤵
- Program crash
PID:3756

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 560
3⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 580
3⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 600
3⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 604
3⤵
- Program crash
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 656
3⤵
- Program crash
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 704
3⤵
- Program crash
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 748
3⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 900
3⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 916
3⤵
- Program crash
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 952
3⤵
- Program crash
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 976
3⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1020
3⤵
- Program crash
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1020
3⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1408
3⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1348
3⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1440
3⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1448
3⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 860
3⤵
- Program crash
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 824
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4936 -ip 4936
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4936 -ip 4936
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4936 -ip 4936
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4936 -ip 4936
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4936 -ip 4936
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4936 -ip 4936
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4936 -ip 4936
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4936 -ip 4936
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4936 -ip 4936
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4936 -ip 4936
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4564 -ip 4564
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4564 -ip 4564
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4564 -ip 4564
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4564 -ip 4564
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4564 -ip 4564
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4564 -ip 4564
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4564 -ip 4564
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4564 -ip 4564
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4564 -ip 4564
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4564 -ip 4564
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4564 -ip 4564
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4564 -ip 4564
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4564 -ip 4564
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4564 -ip 4564
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4564 -ip 4564
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4564 -ip 4564
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4564 -ip 4564
1⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 440
2⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2928 -ip 2928
1⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 440
2⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4012 -ip 4012
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4564 -ip 4564
1⤵
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\539840389126
Filesize
76KB

MD5
95f9f5019e780214cb9b439f77955e9f

SHA1
3fdd877df10293b1e5d7fba433e10e71e91f63e1

SHA256
d2f46605f7b4e867903eeaaefb94ee21d93218094e87497234ddd617121dd43a

SHA512
77472e2dd76941d9b2d4ffec3eba28b482405cca967b8c516302ea1463148c3ba6ff051c19975204a4daa2bb21b0d46d7b2c8394a6bb4e0553cd67ff349be182

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
407KB

MD5
98392f80bcfbb4a2d5e2966696e76f9d

SHA1
65720cf5bababcdc4a27fadfae2dc811979dae06

SHA256
3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1

SHA512
29ff145b655dac61c7e3f358657f2068a9b0bf8b1658649a7dccb9ff8b8485b5a77ca41cf319a1d9c1b16c778f0807fb343747079cbb26dd35e6f5a883561ca6

Download Submit
memory/2928-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2928-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2928-41-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4012-51-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-25-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-24-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-37-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4936-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4936-2-0x0000000002080000-0x00000000020EF000-memory.dmp

Filesize
444KB

Download
memory/4936-16-0x0000000002080000-0x00000000020EF000-memory.dmp

Filesize
444KB

Download
memory/4936-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4936-1-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads