amadey | 81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19

General

Target

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
Size

424KB
MD5

cfe9e898505ab7ee6363426ebbe47103
SHA1

103e65a8dd5cbfcb47b830573da1c141e566bdd2
SHA256

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19
SHA512

d4ee968efccf7979f94f5e35adee6efe48a4c99bf23f14eefbb4beac206ec7c18a619feb4d8e0e1ec7c600abb739dd879335babf063510a2d360b844e70d5904
SSDEEP

6144:HnnUujpl1gxSfHvL+wizyxojjHi3SjMvjtGBKXcBtG95v+bgG21/:HnUuj15vzEzjjHi3bRGBKXX+2R

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

4888 Dctooux.exe
2176 Dctooux.exe
2464 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4888	Dctooux.exe
2176	Dctooux.exe
2464	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4080	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
3536	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
4780	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
4404	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1472	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1684	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
3312	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1252	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
2864	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
4048	4392	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1864	4888	WerFault.exe	Dctooux.exe
2248	4888	WerFault.exe	Dctooux.exe
2188	4888	WerFault.exe	Dctooux.exe
972	4888	WerFault.exe	Dctooux.exe
3688	4888	WerFault.exe	Dctooux.exe
5020	4888	WerFault.exe	Dctooux.exe
4940	4888	WerFault.exe	Dctooux.exe
1896	4888	WerFault.exe	Dctooux.exe
1596	4888	WerFault.exe	Dctooux.exe
728	4888	WerFault.exe	Dctooux.exe
3228	4888	WerFault.exe	Dctooux.exe
3880	4888	WerFault.exe	Dctooux.exe
3920	4888	WerFault.exe	Dctooux.exe
2272	4888	WerFault.exe	Dctooux.exe
1964	4888	WerFault.exe	Dctooux.exe
1364	4888	WerFault.exe	Dctooux.exe
544	4888	WerFault.exe	Dctooux.exe
4452	2176	WerFault.exe	Dctooux.exe
3972	2464	WerFault.exe	Dctooux.exe
4680	4888	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

pid process

4392 81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

pid	process
4392	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

description	pid	process	target process
PID 4392 wrote to memory of 4888	4392	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe	Dctooux.exe
PID 4392 wrote to memory of 4888	4392	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe	Dctooux.exe
PID 4392 wrote to memory of 4888	4392	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
"C:\Users\Admin\AppData\Local\Temp\81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 756
2⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 776
2⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 856
2⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 928
2⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 932
2⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 900
2⤵
- Program crash
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1140
2⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1224
2⤵
- Program crash
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1300
2⤵
- Program crash
PID:2864

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 560
3⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 580
3⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 600
3⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 620
3⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 652
3⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 724
3⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 888
3⤵
- Program crash
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 924
3⤵
- Program crash
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 944
3⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 988
3⤵
- Program crash
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 556
3⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1020
3⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1168
3⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1400
3⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1408
3⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1460
3⤵
- Program crash
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1396
3⤵
- Program crash
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 892
3⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1320
2⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4392 -ip 4392
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4392 -ip 4392
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4392 -ip 4392
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4392 -ip 4392
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4392 -ip 4392
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4392 -ip 4392
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4392 -ip 4392
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4888 -ip 4888
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4888 -ip 4888
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4888 -ip 4888
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4888 -ip 4888
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4888 -ip 4888
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4888 -ip 4888
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4888 -ip 4888
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4888 -ip 4888
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4888 -ip 4888
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4888 -ip 4888
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4888 -ip 4888
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4888 -ip 4888
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4888 -ip 4888
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4888 -ip 4888
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4888 -ip 4888
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4888 -ip 4888
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4888 -ip 4888
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 440
2⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2176 -ip 2176
1⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 440
2⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2464 -ip 2464
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4888 -ip 4888
1⤵
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\539840389126
Filesize
76KB

MD5
aa9d3768b5e3cf60775b4461204b63e0

SHA1
15c1bac17a4c4386844aaa240350bb2de8d9f413

SHA256
55d76d5102ba2caf0b68bc662fbb243018693ca57cc1469168e2d333e3b0380a

SHA512
2460c4839a88fcb9af94308dd1da8a3efa97edc7a644adad9a952d8eaaef035a51ecf294e94b2230e905ffb546bd4d314caeecccdbcf69bf5627010320a828ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
424KB

MD5
cfe9e898505ab7ee6363426ebbe47103

SHA1
103e65a8dd5cbfcb47b830573da1c141e566bdd2

SHA256
81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19

SHA512
d4ee968efccf7979f94f5e35adee6efe48a4c99bf23f14eefbb4beac206ec7c18a619feb4d8e0e1ec7c600abb739dd879335babf063510a2d360b844e70d5904

Download Submit
memory/2176-41-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2176-42-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2176-39-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2176-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2464-51-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4392-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/4392-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4392-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4392-2-0x00000000020E0000-0x000000000214F000-memory.dmp

Filesize
444KB

Download
memory/4392-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4888-18-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4888-36-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4888-28-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4888-23-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads