amadey | 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd

General

Target

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
Size

406KB
MD5

0bd32722e092eff1ef9e88a945824715
SHA1

af868c26f0a9cce64e30020e99d014efafa22e62
SHA256

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd
SHA512

eab9d5f9f27adff92612df9a8a76ca403f7acb99a528772f9d389f7f6dc50919340c6e1c679f405b79b72ee8419d710fb5dcdcf2e1b8df5a74960437423ed2c7
SSDEEP

6144:BAL8MLRdnsW4U15jicEvsPqd3OWy1e4R2naajY/:B+1x515icEMol04a

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

4564 Dctooux.exe
2544 Dctooux.exe
1976 Dctooux.exe
1464 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4564	Dctooux.exe
2544	Dctooux.exe
1976	Dctooux.exe
1464	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4264	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1372	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
5096	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
4620	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1744	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
3436	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
2176	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
5028	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1688	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1164	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1796	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
4292	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
3996	1280	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
4412	4564	WerFault.exe	Dctooux.exe
4328	4564	WerFault.exe	Dctooux.exe
3760	4564	WerFault.exe	Dctooux.exe
4936	4564	WerFault.exe	Dctooux.exe
3868	4564	WerFault.exe	Dctooux.exe
876	4564	WerFault.exe	Dctooux.exe
3288	4564	WerFault.exe	Dctooux.exe
740	4564	WerFault.exe	Dctooux.exe
4356	4564	WerFault.exe	Dctooux.exe
3244	4564	WerFault.exe	Dctooux.exe
3204	4564	WerFault.exe	Dctooux.exe
3392	4564	WerFault.exe	Dctooux.exe
1760	4564	WerFault.exe	Dctooux.exe
2552	4564	WerFault.exe	Dctooux.exe
1676	4564	WerFault.exe	Dctooux.exe
3712	4564	WerFault.exe	Dctooux.exe
2992	4564	WerFault.exe	Dctooux.exe
1856	2544	WerFault.exe	Dctooux.exe
4908	1976	WerFault.exe	Dctooux.exe
5072	4564	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

pid process

1280 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

pid	process
1280	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

description	pid	process	target process
PID 1280 wrote to memory of 4564	1280	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe	Dctooux.exe
PID 1280 wrote to memory of 4564	1280	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe	Dctooux.exe
PID 1280 wrote to memory of 4564	1280	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
"C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 764
2⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 808
2⤵
- Program crash
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 872
2⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 932
2⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 956
2⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 928
2⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1144
2⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1224
2⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1292
2⤵
- Program crash
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1556
2⤵
- Program crash
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 812
2⤵
- Program crash
PID:1796

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 560
3⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 580
3⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 568
3⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 596
3⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 660
3⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 688
3⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 888
3⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 924
3⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 940
3⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 976
3⤵
- Program crash
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 952
3⤵
- Program crash
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 916
3⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1180
3⤵
- Program crash
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1412
3⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1356
3⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1436
3⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1432
3⤵
- Program crash
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 748
3⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 892
2⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1372
2⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1280 -ip 1280
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1280 -ip 1280
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1280 -ip 1280
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1280 -ip 1280
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1280 -ip 1280
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1280 -ip 1280
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1280 -ip 1280
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1280 -ip 1280
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1280 -ip 1280
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1280 -ip 1280
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1280 -ip 1280
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1280 -ip 1280
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1280 -ip 1280
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4564 -ip 4564
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4564 -ip 4564
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4564 -ip 4564
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4564 -ip 4564
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4564 -ip 4564
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4564 -ip 4564
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4564 -ip 4564
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 4564
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4564 -ip 4564
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4564 -ip 4564
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4564 -ip 4564
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4564 -ip 4564
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4564 -ip 4564
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4564 -ip 4564
1⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 436
2⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2544 -ip 2544
1⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 448
2⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1976 -ip 1976
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4564 -ip 4564
1⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080292272204
Filesize
85KB

MD5
b41b31a0a0493ddf165e13cbef7e6d2d

SHA1
a96c858b7d2f1518402944f5f8de159eb06aa3f6

SHA256
f4d4f8065e570e390449033a0b3880c195ed24d296d37a4086f23776c104e9e3

SHA512
ad0bf806afd73184fcc5a67e8981eedeeac942def1efa6ee4bed53471b2752a88089e560ef27d59803d5549300fb261e7d60ab824170a96c9ee5cb4796b82809

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
406KB

MD5
0bd32722e092eff1ef9e88a945824715

SHA1
af868c26f0a9cce64e30020e99d014efafa22e62

SHA256
3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd

SHA512
eab9d5f9f27adff92612df9a8a76ca403f7acb99a528772f9d389f7f6dc50919340c6e1c679f405b79b72ee8419d710fb5dcdcf2e1b8df5a74960437423ed2c7

Download Submit
memory/1280-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/1280-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1280-16-0x0000000000750000-0x00000000007BF000-memory.dmp

Filesize
444KB

Download
memory/1280-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1280-2-0x0000000000750000-0x00000000007BF000-memory.dmp

Filesize
444KB

Download
memory/1976-52-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2544-41-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2544-43-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2544-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-37-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-36-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4564-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads