amadey | 3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1

General

Target

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
Size

407KB
MD5

98392f80bcfbb4a2d5e2966696e76f9d
SHA1

65720cf5bababcdc4a27fadfae2dc811979dae06
SHA256

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1
SHA512

29ff145b655dac61c7e3f358657f2068a9b0bf8b1658649a7dccb9ff8b8485b5a77ca41cf319a1d9c1b16c778f0807fb343747079cbb26dd35e6f5a883561ca6
SSDEEP

6144:gALTZpdoaVORPT862GHuGOnOz4XquD6YcwD/ag/:gIx88W4nXqCcwR

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

3864 Dctooux.exe
648 Dctooux.exe
1920 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3864	Dctooux.exe
648	Dctooux.exe
1920	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3692	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
3528	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
3180	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
1704	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
2284	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
2084	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
5064	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
464	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
1872	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
4828	3288	WerFault.exe	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
3544	3864	WerFault.exe	Dctooux.exe
3704	3864	WerFault.exe	Dctooux.exe
3148	3864	WerFault.exe	Dctooux.exe
4900	3864	WerFault.exe	Dctooux.exe
1956	3864	WerFault.exe	Dctooux.exe
436	3864	WerFault.exe	Dctooux.exe
4524	3864	WerFault.exe	Dctooux.exe
1112	3864	WerFault.exe	Dctooux.exe
720	3864	WerFault.exe	Dctooux.exe
1044	3864	WerFault.exe	Dctooux.exe
3928	3864	WerFault.exe	Dctooux.exe
5004	3864	WerFault.exe	Dctooux.exe
5092	3864	WerFault.exe	Dctooux.exe
3992	3864	WerFault.exe	Dctooux.exe
2272	3864	WerFault.exe	Dctooux.exe
2860	3864	WerFault.exe	Dctooux.exe
2784	3864	WerFault.exe	Dctooux.exe
4080	648	WerFault.exe	Dctooux.exe
1848	1920	WerFault.exe	Dctooux.exe
3504	3864	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

pid process

3288 3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

pid	process
3288	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe

description	pid	process	target process
PID 3288 wrote to memory of 3864	3288	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe	Dctooux.exe
PID 3288 wrote to memory of 3864	3288	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe	Dctooux.exe
PID 3288 wrote to memory of 3864	3288	3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe
"C:\Users\Admin\AppData\Local\Temp\3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 776
2⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 796
2⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 852
2⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 932
2⤵
- Program crash
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 960
2⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 976
2⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 924
2⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 924
2⤵
- Program crash
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1136
2⤵
- Program crash
PID:1872

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 588
3⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 628
3⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 648
3⤵
- Program crash
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 672
3⤵
- Program crash
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 680
3⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 704
3⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 624
3⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 936
3⤵
- Program crash
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 972
3⤵
- Program crash
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 992
3⤵
- Program crash
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 816
3⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1068
3⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1208
3⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1452
3⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1396
3⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1352
3⤵
- Program crash
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 1504
3⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 940
3⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1180
2⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3288 -ip 3288
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3288 -ip 3288
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3288 -ip 3288
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3288 -ip 3288
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3288 -ip 3288
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3288 -ip 3288
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3288 -ip 3288
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3288 -ip 3288
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3288 -ip 3288
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3288 -ip 3288
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3864 -ip 3864
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3864 -ip 3864
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3864 -ip 3864
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3864 -ip 3864
1⤵
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3864 -ip 3864
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3864 -ip 3864
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3864 -ip 3864
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3864 -ip 3864
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3864 -ip 3864
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3864 -ip 3864
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3864 -ip 3864
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3864 -ip 3864
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3864 -ip 3864
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3864 -ip 3864
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3864 -ip 3864
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3864 -ip 3864
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3864 -ip 3864
1⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 472
2⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 648 -ip 648
1⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 480
2⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1920 -ip 1920
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3864 -ip 3864
1⤵
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\474490143322
Filesize
80KB

MD5
305109a5360c3df40fc95e90c552db9a

SHA1
416741b2ec5acd0c2f0f3de67e302e7acc0c06e6

SHA256
54bbbc304e95e7b88ec3d36a99fa359f1f9afb69ba48161b3dce98ea3e0453a2

SHA512
2df506fa6a1c74d7b4d78956b79d24edeb9e7276e32be4e71348b12aa5126ee4c640a161716a693671ef440e50066209cdf05c7031e781459706850775b76781

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
407KB

MD5
98392f80bcfbb4a2d5e2966696e76f9d

SHA1
65720cf5bababcdc4a27fadfae2dc811979dae06

SHA256
3c424dad86619cb197396cb510bd472ca97aba729d289e2b50f3c0986241adf1

SHA512
29ff145b655dac61c7e3f358657f2068a9b0bf8b1658649a7dccb9ff8b8485b5a77ca41cf319a1d9c1b16c778f0807fb343747079cbb26dd35e6f5a883561ca6

Download Submit
memory/648-43-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/648-45-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/648-44-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/648-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1920-54-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3288-2-0x0000000002180000-0x00000000021EF000-memory.dmp

Filesize
444KB

Download
memory/3288-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3288-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3288-16-0x0000000002180000-0x00000000021EF000-memory.dmp

Filesize
444KB

Download
memory/3288-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/3864-21-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3864-39-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3864-27-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3864-26-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3864-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3864-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing