amadey | a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25

General

Target

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
Size

424KB
MD5

61f57206e3d3d3d1621fe10c0a7f2d71
SHA1

13657383a9fac80797fed9027b19dc14996dd3ac
SHA256

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25
SHA512

5940c324406527ceaf1b37d0e00759e2c7831a4db01adf2339036ab113280ae01aee00254f2d87961b8f896fe29c331ec803f25cf0e8b88e33e6b4ca6132ef98
SSDEEP

6144:snnUun/fcHlLgQ7CBa1PmU7iGvHvVTCZPy+isHfAt4mP/:+nUu/fclcQ76a1PmGX8Pms8

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

3144 Dctooux.exe
1096 Dctooux.exe
3608 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3144	Dctooux.exe
1096	Dctooux.exe
3608	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4312	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
3904	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
1780	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
2112	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
4628	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
3432	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
5068	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
4740	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
944	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
5100	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
892	988	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
1908	3144	WerFault.exe	Dctooux.exe
5044	3144	WerFault.exe	Dctooux.exe
3180	3144	WerFault.exe	Dctooux.exe
4508	3144	WerFault.exe	Dctooux.exe
2192	3144	WerFault.exe	Dctooux.exe
5096	3144	WerFault.exe	Dctooux.exe
3860	3144	WerFault.exe	Dctooux.exe
3832	3144	WerFault.exe	Dctooux.exe
4348	3144	WerFault.exe	Dctooux.exe
536	3144	WerFault.exe	Dctooux.exe
2680	3144	WerFault.exe	Dctooux.exe
3148	3144	WerFault.exe	Dctooux.exe
4028	3144	WerFault.exe	Dctooux.exe
2420	3144	WerFault.exe	Dctooux.exe
3012	3144	WerFault.exe	Dctooux.exe
4676	3144	WerFault.exe	Dctooux.exe
4616	3144	WerFault.exe	Dctooux.exe
3472	1096	WerFault.exe	Dctooux.exe
2208	3608	WerFault.exe	Dctooux.exe
5064	3144	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

pid process

988 a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

pid	process
988	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

description	pid	process	target process
PID 988 wrote to memory of 3144	988	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe	Dctooux.exe
PID 988 wrote to memory of 3144	988	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe	Dctooux.exe
PID 988 wrote to memory of 3144	988	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
"C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 756
2⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 828
2⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 868
2⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 876
2⤵
- Program crash
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 880
2⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 936
2⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1128
2⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1160
2⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1264
2⤵
- Program crash
PID:944

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 560
3⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 580
3⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 604
3⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 608
3⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 720
3⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 732
3⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 812
3⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 900
3⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 908
3⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 908
3⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 948
3⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1020
3⤵
- Program crash
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1188
3⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1408
3⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1408
3⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1456
3⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1476
3⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 780
3⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1028
2⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 836
2⤵
- Program crash
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 988 -ip 988
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 988 -ip 988
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 988 -ip 988
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 988 -ip 988
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 988 -ip 988
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 988 -ip 988
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 988 -ip 988
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 988 -ip 988
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 988 -ip 988
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 988 -ip 988
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 988 -ip 988
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3144 -ip 3144
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3144 -ip 3144
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3144 -ip 3144
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3144 -ip 3144
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3144 -ip 3144
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3144 -ip 3144
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3144 -ip 3144
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3144 -ip 3144
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3144 -ip 3144
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3144 -ip 3144
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3144 -ip 3144
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3144 -ip 3144
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3144 -ip 3144
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3144 -ip 3144
1⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3144 -ip 3144
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3144 -ip 3144
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3144 -ip 3144
1⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 448
2⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1096 -ip 1096
1⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 440
2⤵
- Program crash
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3608 -ip 3608
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3144 -ip 3144
1⤵
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\204450073126
Filesize
80KB

MD5
4154139df84e27acbed452c969722120

SHA1
3c100aa4b8ecf6417deb6b8f16e255159cc57c40

SHA256
1ef9e8bf8fcd7d64a941d8f2bddd16e27f5065c7cb27b31525c1fc489e97aa30

SHA512
facfad4c1b18a0494fe43f5b8a93d4e7787d240d0cbb8e35f2c0665315d7da39bcc0e2c93f9c06a312be4ee2433778e22cf93b3ffee34fc093c9764c71a08e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
424KB

MD5
61f57206e3d3d3d1621fe10c0a7f2d71

SHA1
13657383a9fac80797fed9027b19dc14996dd3ac

SHA256
a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25

SHA512
5940c324406527ceaf1b37d0e00759e2c7831a4db01adf2339036ab113280ae01aee00254f2d87961b8f896fe29c331ec803f25cf0e8b88e33e6b4ca6132ef98

Download Submit
memory/988-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/988-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/988-16-0x00000000020C0000-0x000000000212F000-memory.dmp

Filesize
444KB

Download
memory/988-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/988-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/988-2-0x00000000020C0000-0x000000000212F000-memory.dmp

Filesize
444KB

Download
memory/1096-44-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1096-46-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1096-45-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1096-43-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3144-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3144-38-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3144-34-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3144-21-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3144-20-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3608-55-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads