amadey | a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25

General

Target

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
Size

424KB
MD5

61f57206e3d3d3d1621fe10c0a7f2d71
SHA1

13657383a9fac80797fed9027b19dc14996dd3ac
SHA256

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25
SHA512

5940c324406527ceaf1b37d0e00759e2c7831a4db01adf2339036ab113280ae01aee00254f2d87961b8f896fe29c331ec803f25cf0e8b88e33e6b4ca6132ef98
SSDEEP

6144:snnUun/fcHlLgQ7CBa1PmU7iGvHvVTCZPy+isHfAt4mP/:+nUu/fclcQ76a1PmGX8Pms8

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

2852 Dctooux.exe
1508 Dctooux.exe
3140 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2852	Dctooux.exe
1508	Dctooux.exe
3140	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1144	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
5100	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
2660	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
2304	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
4320	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
3408	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
2056	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
4984	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
4656	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
992	2404	WerFault.exe	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
1384	2852	WerFault.exe	Dctooux.exe
2360	2852	WerFault.exe	Dctooux.exe
936	2852	WerFault.exe	Dctooux.exe
1308	2852	WerFault.exe	Dctooux.exe
2928	2852	WerFault.exe	Dctooux.exe
4536	2852	WerFault.exe	Dctooux.exe
5028	2852	WerFault.exe	Dctooux.exe
3760	2852	WerFault.exe	Dctooux.exe
1252	2852	WerFault.exe	Dctooux.exe
4476	2852	WerFault.exe	Dctooux.exe
3300	2852	WerFault.exe	Dctooux.exe
4460	2852	WerFault.exe	Dctooux.exe
3700	2852	WerFault.exe	Dctooux.exe
4624	2852	WerFault.exe	Dctooux.exe
2444	2852	WerFault.exe	Dctooux.exe
2320	2852	WerFault.exe	Dctooux.exe
3692	2852	WerFault.exe	Dctooux.exe
2236	2852	WerFault.exe	Dctooux.exe
3812	1508	WerFault.exe	Dctooux.exe
2028	3140	WerFault.exe	Dctooux.exe
1736	2852	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

pid process

2404 a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

pid	process
2404	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

description	pid	process	target process
PID 2404 wrote to memory of 2852	2404	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe	Dctooux.exe
PID 2404 wrote to memory of 2852	2404	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe	Dctooux.exe
PID 2404 wrote to memory of 2852	2404	a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
"C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 784
2⤵
- Program crash
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 804
2⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 836
2⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 944
2⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 972
2⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 840
2⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1028
2⤵
- Program crash
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1052
2⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1136
2⤵
- Program crash
PID:4656

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 588
3⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 628
3⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 652
3⤵
- Program crash
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 696
3⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 704
3⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 760
3⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 900
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 932
3⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 940
3⤵
- Program crash
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 748
3⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 992
3⤵
- Program crash
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1068
3⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1072
3⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1436
3⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1456
3⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1488
3⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1508
3⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1500
3⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1636
3⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1188
2⤵
- Program crash
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2404 -ip 2404
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2404 -ip 2404
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2404 -ip 2404
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2404 -ip 2404
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2404 -ip 2404
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2404 -ip 2404
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2404 -ip 2404
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2404 -ip 2404
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2404 -ip 2404
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2404 -ip 2404
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2852 -ip 2852
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2852 -ip 2852
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2852 -ip 2852
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2852 -ip 2852
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2852 -ip 2852
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2852 -ip 2852
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2852 -ip 2852
1⤵
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2852 -ip 2852
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2852 -ip 2852
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2852 -ip 2852
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2852 -ip 2852
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2852 -ip 2852
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2852 -ip 2852
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2852 -ip 2852
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2852 -ip 2852
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 480
2⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1508 -ip 1508
1⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 472
2⤵
- Program crash
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2852 -ip 2852
1⤵
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\235821424191
Filesize
72KB

MD5
e2376d49c97ecc0727caf2f4167a2028

SHA1
e1439dc437a09cca36b76f1d440ac7725d03e4f7

SHA256
be39b46b569b8eb48a3fa6e6ced2edd5700ae21d3013c5b7ea1f975e9147bd29

SHA512
9cc5db232e5f003f75e59ee59e2809ef8992989e4808866fc07d4406a8f6b289499d9adb44abe3ae0d3bffc1429f1c15bce73517363fae75525c5b09dc10beb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
424KB

MD5
61f57206e3d3d3d1621fe10c0a7f2d71

SHA1
13657383a9fac80797fed9027b19dc14996dd3ac

SHA256
a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25

SHA512
5940c324406527ceaf1b37d0e00759e2c7831a4db01adf2339036ab113280ae01aee00254f2d87961b8f896fe29c331ec803f25cf0e8b88e33e6b4ca6132ef98

Download Submit
memory/1508-41-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1508-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2404-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2404-16-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/2404-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2404-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2404-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2404-2-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/2852-19-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2852-35-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2852-36-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3140-50-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing