amadey | 4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880

General

Target

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
Size

392KB
MD5

583c42042090b9bd50c7ea340d2d0614
SHA1

52fc8c85e4e34c9f070ac5664ebf6b615003ab85
SHA256

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880
SHA512

e8bd1f2c2042f9d4f69e37ebba00ea82e3cccb51acd3dbb5efa1da970451edae2616412382d8066a18ad73154394cc4b197285ad7a60f77554b5ef2f820034b1
SSDEEP

6144:0ST9EeMepodzbmsh4PN3a3hhvEqnXRZSbTXqcT2vBTet91Ra1YnC/:DT6eMM2zbXoNyLLnXRS6cTMTet9LQ

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

3872 Dctooux.exe
2364 Dctooux.exe
1624 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3872	Dctooux.exe
2364	Dctooux.exe
1624	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3124	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
2868	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
1636	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3520	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
4560	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
5036	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
1000	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3808	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
760	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
1872	3912	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
920	3872	WerFault.exe	Dctooux.exe
4676	3872	WerFault.exe	Dctooux.exe
3816	3872	WerFault.exe	Dctooux.exe
1192	3872	WerFault.exe	Dctooux.exe
4768	3872	WerFault.exe	Dctooux.exe
1828	3872	WerFault.exe	Dctooux.exe
4456	3872	WerFault.exe	Dctooux.exe
2836	3872	WerFault.exe	Dctooux.exe
5024	3872	WerFault.exe	Dctooux.exe
3988	3872	WerFault.exe	Dctooux.exe
2868	3872	WerFault.exe	Dctooux.exe
3904	3872	WerFault.exe	Dctooux.exe
2608	3872	WerFault.exe	Dctooux.exe
2128	3872	WerFault.exe	Dctooux.exe
3348	3872	WerFault.exe	Dctooux.exe
3612	3872	WerFault.exe	Dctooux.exe
3700	3872	WerFault.exe	Dctooux.exe
936	2364	WerFault.exe	Dctooux.exe
4768	1624	WerFault.exe	Dctooux.exe
4352	3872	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

pid process

3912 4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

pid	process
3912	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

description	pid	process	target process
PID 3912 wrote to memory of 3872	3912	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe	Dctooux.exe
PID 3912 wrote to memory of 3872	3912	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe	Dctooux.exe
PID 3912 wrote to memory of 3872	3912	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
"C:\Users\Admin\AppData\Local\Temp\4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 756
2⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 800
2⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 856
2⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 904
2⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 908
2⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 856
2⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1152
2⤵
- Program crash
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1252
2⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1232
2⤵
- Program crash
PID:760

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 560
3⤵
- Program crash
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 580
3⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 600
3⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 608
3⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 616
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 736
3⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 888
3⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 560
3⤵
- Program crash
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 888
3⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 956
3⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 980
3⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1020
3⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1164
3⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1416
3⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1484
3⤵
- Program crash
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1392
3⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1108
3⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 892
3⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1336
2⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3912 -ip 3912
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3912 -ip 3912
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3912 -ip 3912
1⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3912 -ip 3912
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3912 -ip 3912
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3912 -ip 3912
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3912 -ip 3912
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3912 -ip 3912
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3912 -ip 3912
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3912 -ip 3912
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3872 -ip 3872
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3872 -ip 3872
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3872 -ip 3872
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3872 -ip 3872
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3872 -ip 3872
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3872 -ip 3872
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3872 -ip 3872
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3872 -ip 3872
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3872 -ip 3872
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3872 -ip 3872
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3872 -ip 3872
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3872 -ip 3872
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3872 -ip 3872
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3872 -ip 3872
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3872 -ip 3872
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3872 -ip 3872
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3872 -ip 3872
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 440
2⤵
- Program crash
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2364 -ip 2364
1⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 448
2⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1624 -ip 1624
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3872 -ip 3872
1⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\169499791354
Filesize
83KB

MD5
1b0fc8d442065a9b56f97b78c4fa1137

SHA1
555e50095e21f4a68950770f062ffc5c47d43fb3

SHA256
4b6995070fedc78ec90c714cabcac316683fcb4ca6f3303d524ccf5644d8cd44

SHA512
2b2713d95f3328685bc9599baa821d6024425737119ac742676a6cfc69cb18b38fcdf29d714ce1fb22684c4bbeeada8ce852a3277e4996141057c2ab857f8a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
392KB

MD5
583c42042090b9bd50c7ea340d2d0614

SHA1
52fc8c85e4e34c9f070ac5664ebf6b615003ab85

SHA256
4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880

SHA512
e8bd1f2c2042f9d4f69e37ebba00ea82e3cccb51acd3dbb5efa1da970451edae2616412382d8066a18ad73154394cc4b197285ad7a60f77554b5ef2f820034b1

Download Submit
memory/1624-57-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2364-48-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2364-47-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2364-45-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2364-46-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-21-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-30-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-38-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3872-20-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3912-1-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/3912-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3912-17-0x0000000001FA0000-0x000000000200F000-memory.dmp

Filesize
444KB

Download
memory/3912-2-0x0000000001FA0000-0x000000000200F000-memory.dmp

Filesize
444KB

Download
memory/3912-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads