amadey | 7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0

General

Target

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
Size

424KB
MD5

badc61693070247ddf7474c29470696c
SHA1

7c86bdcadd17edf3e4f5765f4db5d9593d208212
SHA256

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0
SHA512

474b441de6951da4bd7c4b55dc2641296be502fc1b85d6ce0eb1aab638bf54cbcbd904045ddd7a96ad63867c4da58806036005e037c426e77c9d12061caf7bbb
SSDEEP

6144:LnnUuhPG5Dvk6MjdR7bHCqyIeROk7xR84q4hZpmaeO9NYGg/:jnUu76MD7biikOkxqcZpmaeYc

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

4348 Dctooux.exe
4864 Dctooux.exe
2772 Dctooux.exe
4364 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4348	Dctooux.exe
4864	Dctooux.exe
2772	Dctooux.exe
4364	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

Program crash 32 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4064	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
3436	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
1576	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
3160	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
2024	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
1996	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
884	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
4264	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
2852	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
1924	5068	WerFault.exe	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
4552	4348	WerFault.exe	Dctooux.exe
4796	4348	WerFault.exe	Dctooux.exe
3612	4348	WerFault.exe	Dctooux.exe
4816	4348	WerFault.exe	Dctooux.exe
4076	4348	WerFault.exe	Dctooux.exe
2164	4348	WerFault.exe	Dctooux.exe
4492	4348	WerFault.exe	Dctooux.exe
3828	4348	WerFault.exe	Dctooux.exe
3576	4348	WerFault.exe	Dctooux.exe
3068	4348	WerFault.exe	Dctooux.exe
5028	4348	WerFault.exe	Dctooux.exe
232	4348	WerFault.exe	Dctooux.exe
2072	4348	WerFault.exe	Dctooux.exe
5084	4348	WerFault.exe	Dctooux.exe
3624	4348	WerFault.exe	Dctooux.exe
2204	4348	WerFault.exe	Dctooux.exe
1388	4348	WerFault.exe	Dctooux.exe
3532	4864	WerFault.exe	Dctooux.exe
2000	2772	WerFault.exe	Dctooux.exe
4012	4348	WerFault.exe	Dctooux.exe
2504	4364	WerFault.exe	Dctooux.exe
1816	4364	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

pid process

5068 7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

pid	process
5068	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe

description	pid	process	target process
PID 5068 wrote to memory of 4348	5068	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe	Dctooux.exe
PID 5068 wrote to memory of 4348	5068	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe	Dctooux.exe
PID 5068 wrote to memory of 4348	5068	7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe
"C:\Users\Admin\AppData\Local\Temp\7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 776
2⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 820
2⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 876
2⤵
- Program crash
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 940
2⤵
- Program crash
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 932
2⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 948
2⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1020
2⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1020
2⤵
- Program crash
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1044
2⤵
- Program crash
PID:2852

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 588
3⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 632
3⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 652
3⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 676
3⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 664
3⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 592
3⤵
- Program crash
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 900
3⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 920
3⤵
- Program crash
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 936
3⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 932
3⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 784
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1068
3⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1076
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1452
3⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1444
3⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1348
3⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1544
3⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 904
3⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1176
2⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 5068
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5068 -ip 5068
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5068 -ip 5068
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5068 -ip 5068
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5068 -ip 5068
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5068 -ip 5068
1⤵
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5068 -ip 5068
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5068 -ip 5068
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 5068
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 5068
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4348 -ip 4348
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4348 -ip 4348
1⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4348 -ip 4348
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4348 -ip 4348
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4348 -ip 4348
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4348 -ip 4348
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4348 -ip 4348
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4348 -ip 4348
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4348 -ip 4348
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4348 -ip 4348
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4348 -ip 4348
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4348 -ip 4348
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4348 -ip 4348
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4348 -ip 4348
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4348 -ip 4348
1⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 472
2⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4864 -ip 4864
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 472
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2772 -ip 2772
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4348 -ip 4348
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 468
2⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 472
2⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4364 -ip 4364
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4364 -ip 4364
1⤵
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001105534270
Filesize
80KB

MD5
5ba33df8daea8d3989e16bc7c1c15518

SHA1
4f01cc7e4afae705bdd28f1e5b91edeff314022c

SHA256
27ee5b822016ba6176c175de52627a58063e4ac3cb4fc2c3cd27a236b0beaf86

SHA512
8abe453ed2cb7d89c20a9bd1721972ec362f481ac48bf7729314a278062741fd8e9576eda0e490a33f3c68d983f38d657dca6f74769123356c240c23f075a646

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
424KB

MD5
badc61693070247ddf7474c29470696c

SHA1
7c86bdcadd17edf3e4f5765f4db5d9593d208212

SHA256
7b5be56fafa1f9cd746dbea6da0b7b549bbfb68eedd3b69ff2767c0095bda3d0

SHA512
474b441de6951da4bd7c4b55dc2641296be502fc1b85d6ce0eb1aab638bf54cbcbd904045ddd7a96ad63867c4da58806036005e037c426e77c9d12061caf7bbb

Download Submit
memory/2772-49-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4348-24-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4348-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4348-29-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4348-41-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4364-58-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4864-27-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4864-28-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5068-17-0x0000000002190000-0x00000000021FF000-memory.dmp

Filesize
444KB

Download
memory/5068-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5068-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/5068-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/5068-1-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/5068-2-0x0000000002190000-0x00000000021FF000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing