amadey | 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd

General

Target

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
Size

406KB
MD5

0bd32722e092eff1ef9e88a945824715
SHA1

af868c26f0a9cce64e30020e99d014efafa22e62
SHA256

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd
SHA512

eab9d5f9f27adff92612df9a8a76ca403f7acb99a528772f9d389f7f6dc50919340c6e1c679f405b79b72ee8419d710fb5dcdcf2e1b8df5a74960437423ed2c7
SSDEEP

6144:BAL8MLRdnsW4U15jicEvsPqd3OWy1e4R2naajY/:B+1x515icEMol04a

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

4736 Dctooux.exe
4548 Dctooux.exe
4040 Dctooux.exe
1352 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4736	Dctooux.exe
4548	Dctooux.exe
4040	Dctooux.exe
1352	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1960	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
3172	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
800	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
4172	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1088	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
1672	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
972	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
2344	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
2208	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
2976	4388	WerFault.exe	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
3556	4736	WerFault.exe	Dctooux.exe
2772	4736	WerFault.exe	Dctooux.exe
3944	4736	WerFault.exe	Dctooux.exe
5044	4736	WerFault.exe	Dctooux.exe
3696	4736	WerFault.exe	Dctooux.exe
4764	4736	WerFault.exe	Dctooux.exe
1772	4736	WerFault.exe	Dctooux.exe
3760	4736	WerFault.exe	Dctooux.exe
1416	4736	WerFault.exe	Dctooux.exe
4792	4736	WerFault.exe	Dctooux.exe
4576	4736	WerFault.exe	Dctooux.exe
552	4736	WerFault.exe	Dctooux.exe
4244	4736	WerFault.exe	Dctooux.exe
1840	4736	WerFault.exe	Dctooux.exe
4652	4736	WerFault.exe	Dctooux.exe
3116	4736	WerFault.exe	Dctooux.exe
2036	4736	WerFault.exe	Dctooux.exe
1920	4548	WerFault.exe	Dctooux.exe
3084	4040	WerFault.exe	Dctooux.exe
3944	4736	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

pid process

4388 3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

pid	process
4388	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe

description	pid	process	target process
PID 4388 wrote to memory of 4736	4388	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe	Dctooux.exe
PID 4388 wrote to memory of 4736	4388	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe	Dctooux.exe
PID 4388 wrote to memory of 4736	4388	3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe
"C:\Users\Admin\AppData\Local\Temp\3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 776
2⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 820
2⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 836
2⤵
- Program crash
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 944
2⤵
- Program crash
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 840
2⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 980
2⤵
- Program crash
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 940
2⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1044
2⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1048
2⤵
- Program crash
PID:2208

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 588
3⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 608
3⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 604
3⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 592
3⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 688
3⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 716
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 900
3⤵
- Program crash
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 900
3⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 944
3⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 944
3⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 976
3⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1068
3⤵
- Program crash
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1208
3⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1236
3⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1436
3⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1544
3⤵
- Program crash
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1244
3⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 904
3⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1076
2⤵
- Program crash
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4388 -ip 4388
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4388 -ip 4388
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4388 -ip 4388
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4388 -ip 4388
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4388 -ip 4388
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4388 -ip 4388
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4388 -ip 4388
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4736 -ip 4736
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4736 -ip 4736
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4736 -ip 4736
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4736 -ip 4736
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4736 -ip 4736
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4736 -ip 4736
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4736 -ip 4736
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4736 -ip 4736
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4736 -ip 4736
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4736 -ip 4736
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4736 -ip 4736
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4736 -ip 4736
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4736 -ip 4736
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4736 -ip 4736
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4736 -ip 4736
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4736 -ip 4736
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4736 -ip 4736
1⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 480
2⤵
- Program crash
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4548 -ip 4548
1⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 480
2⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4040 -ip 4040
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4736 -ip 4736
1⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\276817940128
Filesize
77KB

MD5
8d0aae7a788d975e2bebd4ab835540e7

SHA1
5f418e39bb78725170207e04ee0d08c2804cc656

SHA256
7674e421fc476cf38ce12faa1530d4b2433562bc1f420081c8f0190f16fcfa51

SHA512
7de2ca2e78ea3da3831272cd220c87fbee18b3950d93bdcc696d038e999383a4e7fbf881f9f559021483f2e181d8acd4bbd7c1183f8c34b569b5f8ecbc61e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
406KB

MD5
0bd32722e092eff1ef9e88a945824715

SHA1
af868c26f0a9cce64e30020e99d014efafa22e62

SHA256
3f6d052baefd62e33e7ac301d6f1c37d5874d823c422e097324fae9e0c0451bd

SHA512
eab9d5f9f27adff92612df9a8a76ca403f7acb99a528772f9d389f7f6dc50919340c6e1c679f405b79b72ee8419d710fb5dcdcf2e1b8df5a74960437423ed2c7

Download Submit
memory/4040-51-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4388-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/4388-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4388-16-0x0000000002210000-0x000000000227F000-memory.dmp

Filesize
444KB

Download
memory/4388-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4388-2-0x0000000002210000-0x000000000227F000-memory.dmp

Filesize
444KB

Download
memory/4548-41-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4548-42-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4548-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4548-39-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4736-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4736-36-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4736-35-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing