amadey | 7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0

General

Target

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
Size

424KB
MD5

badc61693070247ddf7474c29470696c
SHA1

7c86bdcadd17edf3e4f5765f4db5d9593d208212
SHA256

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0
SHA512

474b441de6951da4bd7c4b55dc2641296be502fc1b85d6ce0eb1aab638bf54cbcbd904045ddd7a96ad63867c4da58806036005e037c426e77c9d12061caf7bbb
SSDEEP

6144:LnnUuhPG5Dvk6MjdR7bHCqyIeROk7xR84q4hZpmaeO9NYGg/:jnUu76MD7biikOkxqcZpmaeYc

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

4796 Dctooux.exe
3528 Dctooux.exe
2456 Dctooux.exe
4868 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4796	Dctooux.exe
3528	Dctooux.exe
2456	Dctooux.exe
4868	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4384	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
380	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
2632	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
3992	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
2152	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
4532	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
3556	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
4208	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
3012	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
1600	2448	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
3800	4796	WerFault.exe	Dctooux.exe
4452	4796	WerFault.exe	Dctooux.exe
1472	4796	WerFault.exe	Dctooux.exe
4612	4796	WerFault.exe	Dctooux.exe
1468	4796	WerFault.exe	Dctooux.exe
4324	4796	WerFault.exe	Dctooux.exe
4892	4796	WerFault.exe	Dctooux.exe
1044	4796	WerFault.exe	Dctooux.exe
2156	4796	WerFault.exe	Dctooux.exe
2388	4796	WerFault.exe	Dctooux.exe
1040	4796	WerFault.exe	Dctooux.exe
4332	4796	WerFault.exe	Dctooux.exe
936	4796	WerFault.exe	Dctooux.exe
3992	4796	WerFault.exe	Dctooux.exe
1596	4796	WerFault.exe	Dctooux.exe
1964	4796	WerFault.exe	Dctooux.exe
4420	4796	WerFault.exe	Dctooux.exe
4100	3528	WerFault.exe	Dctooux.exe
1776	2456	WerFault.exe	Dctooux.exe
1336	4796	WerFault.exe	Dctooux.exe
1328	4868	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

pid process

2448 7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

pid	process
2448	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

description	pid	process	target process
PID 2448 wrote to memory of 4796	2448	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe	Dctooux.exe
PID 2448 wrote to memory of 4796	2448	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe	Dctooux.exe
PID 2448 wrote to memory of 4796	2448	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
"C:\Users\Admin\AppData\Local\Temp\7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 764
2⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 812
2⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 708
2⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 924
2⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 944
2⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 948
2⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1136
2⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1248
2⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1288
2⤵
- Program crash
PID:3012

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 560
3⤵
- Program crash
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 580
3⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 600
3⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 648
3⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 656
3⤵
- Program crash
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 568
3⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 772
3⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 900
3⤵
- Program crash
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 772
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 556
3⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 940
3⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1020
3⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1164
3⤵
- Program crash
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1360
3⤵
- Program crash
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1472
3⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1480
3⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1504
3⤵
- Program crash
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 884
3⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1316
2⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2448 -ip 2448
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2448 -ip 2448
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2448 -ip 2448
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2448 -ip 2448
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2448 -ip 2448
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2448 -ip 2448
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2448 -ip 2448
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2448 -ip 2448
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2448 -ip 2448
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2448 -ip 2448
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4796 -ip 4796
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4796 -ip 4796
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4796 -ip 4796
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4796 -ip 4796
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4796 -ip 4796
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4796 -ip 4796
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4796 -ip 4796
1⤵
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4796 -ip 4796
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4796 -ip 4796
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4796 -ip 4796
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4796 -ip 4796
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4796 -ip 4796
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4796 -ip 4796
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4796 -ip 4796
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4796 -ip 4796
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4796 -ip 4796
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4796 -ip 4796
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 440
2⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3528 -ip 3528
1⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 448
2⤵
- Program crash
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2456 -ip 2456
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4796 -ip 4796
1⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 444
2⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4868 -ip 4868
1⤵
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\169499791354
Filesize
75KB

MD5
9259a9c5996b6bcad45656295ba4fc1c

SHA1
80bcfc4d12a5c53b6d2adfc5605ca75f2509ef5e

SHA256
37e067240de5078eb669c43e833446c3dad586a65fbdd3a196d7e0243c470824

SHA512
7fa8d77d8da6127d621d45bc3694ee5999abfce49061e53d7f8a5ad3c0fc08263c3b19d520bae7239d58a0465070e9dca07e71b756d3e1ca14339f2c6a7bc347

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
424KB

MD5
badc61693070247ddf7474c29470696c

SHA1
7c86bdcadd17edf3e4f5765f4db5d9593d208212

SHA256
7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0

SHA512
474b441de6951da4bd7c4b55dc2641296be502fc1b85d6ce0eb1aab638bf54cbcbd904045ddd7a96ad63867c4da58806036005e037c426e77c9d12061caf7bbb

Download Submit
memory/2448-2-0x00000000020C0000-0x000000000212F000-memory.dmp

Filesize
444KB

Download
memory/2448-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2448-16-0x00000000020C0000-0x000000000212F000-memory.dmp

Filesize
444KB

Download
memory/2448-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2448-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2448-1-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2456-51-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3528-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3528-42-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-36-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-39-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-20-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4796-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4868-60-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads