amadey | 4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880

General

Target

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
Size

392KB
MD5

583c42042090b9bd50c7ea340d2d0614
SHA1

52fc8c85e4e34c9f070ac5664ebf6b615003ab85
SHA256

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880
SHA512

e8bd1f2c2042f9d4f69e37ebba00ea82e3cccb51acd3dbb5efa1da970451edae2616412382d8066a18ad73154394cc4b197285ad7a60f77554b5ef2f820034b1
SSDEEP

6144:0ST9EeMepodzbmsh4PN3a3hhvEqnXRZSbTXqcT2vBTet91Ra1YnC/:DT6eMM2zbXoNyLLnXRS6cTMTet9LQ

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

4816 Dctooux.exe
3172 Dctooux.exe
3512 Dctooux.exe
3180 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4816	Dctooux.exe
3172	Dctooux.exe
3512	Dctooux.exe
3180	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4776	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3352	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3592	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3056	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3244	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
2760	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
4104	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
984	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
4072	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
988	3180	WerFault.exe	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
3176	4816	WerFault.exe	Dctooux.exe
4756	4816	WerFault.exe	Dctooux.exe
1508	4816	WerFault.exe	Dctooux.exe
1268	4816	WerFault.exe	Dctooux.exe
3364	4816	WerFault.exe	Dctooux.exe
1548	4816	WerFault.exe	Dctooux.exe
1912	3172	WerFault.exe	Dctooux.exe
1796	4816	WerFault.exe	Dctooux.exe
1636	4816	WerFault.exe	Dctooux.exe
4224	4816	WerFault.exe	Dctooux.exe
2528	4816	WerFault.exe	Dctooux.exe
4616	4816	WerFault.exe	Dctooux.exe
572	4816	WerFault.exe	Dctooux.exe
232	4816	WerFault.exe	Dctooux.exe
3948	4816	WerFault.exe	Dctooux.exe
3604	4816	WerFault.exe	Dctooux.exe
3664	4816	WerFault.exe	Dctooux.exe
1616	4816	WerFault.exe	Dctooux.exe
4556	3512	WerFault.exe	Dctooux.exe
2320	3180	WerFault.exe	Dctooux.exe
4756	4816	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

pid process

3180 4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

pid	process
3180	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe

description	pid	process	target process
PID 3180 wrote to memory of 4816	3180	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe	Dctooux.exe
PID 3180 wrote to memory of 4816	3180	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe	Dctooux.exe
PID 3180 wrote to memory of 4816	3180	4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe
"C:\Users\Admin\AppData\Local\Temp\4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 776
2⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 816
2⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 840
2⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 932
2⤵
- Program crash
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 952
2⤵
- Program crash
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 976
2⤵
- Program crash
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 840
2⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 840
2⤵
- Program crash
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1132
2⤵
- Program crash
PID:4072

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 588
3⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 628
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 656
3⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 640
3⤵
- Program crash
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 764
3⤵
- Program crash
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 664
3⤵
- Program crash
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 900
3⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 900
3⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 804
3⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 968
3⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 844
3⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1068
3⤵
- Program crash
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1072
3⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1320
3⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1468
3⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1484
3⤵
- Program crash
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1476
3⤵
- Program crash
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 904
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1148
2⤵
- Program crash
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3180 -ip 3180
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3180 -ip 3180
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3180 -ip 3180
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3180 -ip 3180
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3180 -ip 3180
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3180 -ip 3180
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3180 -ip 3180
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3180 -ip 3180
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3180 -ip 3180
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3180 -ip 3180
1⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 472
2⤵
- Program crash
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4816 -ip 4816
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4816 -ip 4816
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4816 -ip 4816
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4816 -ip 4816
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4816 -ip 4816
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4816 -ip 4816
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3172 -ip 3172
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4816 -ip 4816
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4816 -ip 4816
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4816 -ip 4816
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4816 -ip 4816
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4816 -ip 4816
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4816 -ip 4816
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4816 -ip 4816
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4816 -ip 4816
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4816 -ip 4816
1⤵
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4816 -ip 4816
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4816 -ip 4816
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 480
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3512 -ip 3512
1⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 472
2⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3180 -ip 3180
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4816 -ip 4816
1⤵
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\198854727384
Filesize
79KB

MD5
e043995252676a062dcc5ad5449efd9d

SHA1
3527a478699902fee49e89de74eceee2ae09e8a1

SHA256
9471dcccde7d1d6d83a5f1e0b9b6ab135e1e696f3440b9d0fdad86524581bb46

SHA512
af1f5382274d176d4209dcae273cc94ed4371676148447bd415a693e8ac0c9a8a282b22f8a3adcdde668b3d63e5f53d8010e89509868ada6e339496a79d3f36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
392KB

MD5
583c42042090b9bd50c7ea340d2d0614

SHA1
52fc8c85e4e34c9f070ac5664ebf6b615003ab85

SHA256
4435f30ee62bdf665a126cfffa47f8271f74d579bd48c8418495aac79d6e0880

SHA512
e8bd1f2c2042f9d4f69e37ebba00ea82e3cccb51acd3dbb5efa1da970451edae2616412382d8066a18ad73154394cc4b197285ad7a60f77554b5ef2f820034b1

Download Submit
memory/3172-22-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3172-24-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3180-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3180-2-0x00000000021A0000-0x000000000220F000-memory.dmp

Filesize
444KB

Download
memory/3180-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3180-16-0x00000000021A0000-0x000000000220F000-memory.dmp

Filesize
444KB

Download
memory/3180-1-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/3180-57-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3512-48-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4816-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4816-40-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4816-41-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing