amadey | 81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19

General

Target

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
Size

424KB
MD5

cfe9e898505ab7ee6363426ebbe47103
SHA1

103e65a8dd5cbfcb47b830573da1c141e566bdd2
SHA256

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19
SHA512

d4ee968efccf7979f94f5e35adee6efe48a4c99bf23f14eefbb4beac206ec7c18a619feb4d8e0e1ec7c600abb739dd879335babf063510a2d360b844e70d5904
SSDEEP

6144:HnnUujpl1gxSfHvL+wizyxojjHi3SjMvjtGBKXcBtG95v+bgG21/:HnUuj15vzEzjjHi3bRGBKXX+2R

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

472 Dctooux.exe
3448 Dctooux.exe
3752 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
472	Dctooux.exe
3448	Dctooux.exe
3752	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3476	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1868	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1320	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
3864	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
664	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
4840	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
2380	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
4016	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
1192	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
236	3324	WerFault.exe	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
2868	472	WerFault.exe	Dctooux.exe
3624	472	WerFault.exe	Dctooux.exe
4024	472	WerFault.exe	Dctooux.exe
4000	472	WerFault.exe	Dctooux.exe
2120	472	WerFault.exe	Dctooux.exe
3876	472	WerFault.exe	Dctooux.exe
4124	472	WerFault.exe	Dctooux.exe
72	472	WerFault.exe	Dctooux.exe
1676	472	WerFault.exe	Dctooux.exe
2348	472	WerFault.exe	Dctooux.exe
3660	472	WerFault.exe	Dctooux.exe
4944	472	WerFault.exe	Dctooux.exe
4868	472	WerFault.exe	Dctooux.exe
2188	472	WerFault.exe	Dctooux.exe
4560	472	WerFault.exe	Dctooux.exe
4636	472	WerFault.exe	Dctooux.exe
5096	472	WerFault.exe	Dctooux.exe
476	3448	WerFault.exe	Dctooux.exe
880	3752	WerFault.exe	Dctooux.exe
3368	472	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

pid process

3324 81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

pid	process
3324	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe

description	pid	process	target process
PID 3324 wrote to memory of 472	3324	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe	Dctooux.exe
PID 3324 wrote to memory of 472	3324	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe	Dctooux.exe
PID 3324 wrote to memory of 472	3324	81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe
"C:\Users\Admin\AppData\Local\Temp\81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 776
2⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 776
2⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 876
2⤵
- Program crash
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 932
2⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 920
2⤵
- Program crash
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 984
2⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1020
2⤵
- Program crash
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1020
2⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1132
2⤵
- Program crash
PID:1192

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 588
3⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 632
3⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 680
3⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 704
3⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 712
3⤵
- Program crash
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 660
3⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 900
3⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 900
3⤵
- Program crash
PID:72

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 944
3⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 656
3⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 656
3⤵
- Program crash
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1068
3⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1228
3⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1452
3⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1388
3⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1392
3⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1552
3⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 904
3⤵
- Program crash
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 840
2⤵
- Program crash
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3324 -ip 3324
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3324 -ip 3324
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3324 -ip 3324
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3324 -ip 3324
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3324 -ip 3324
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3324 -ip 3324
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3324 -ip 3324
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3324 -ip 3324
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3324 -ip 3324
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 472 -ip 472
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 472 -ip 472
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 472 -ip 472
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 472 -ip 472
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 472 -ip 472
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 472 -ip 472
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 472 -ip 472
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 472 -ip 472
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 472 -ip 472
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 472 -ip 472
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 472 -ip 472
1⤵
PID:256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 472 -ip 472
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 472 -ip 472
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 472 -ip 472
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 472 -ip 472
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 472 -ip 472
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 472 -ip 472
1⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 472
2⤵
- Program crash
PID:476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3448 -ip 3448
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 472
2⤵
- Program crash
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3752 -ip 3752
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 472 -ip 472
1⤵
PID:3564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\672260578815
Filesize
75KB

MD5
9fc1374369e4543ce1c80e1066278aa6

SHA1
eff7822f6592ea60520eea0981ef66bd5402249d

SHA256
9aebf3e414925690c8ac62ad5ebb69253592e14f3709803826fa951a692807bf

SHA512
0ae10ddba569f71b3488c9bab7fc6c6498c55a3ce52c3bd89027fd6a95110c19057bd14eebd458705f070da8f0b25e5711fe91e5009537d04a52eaca5849eb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
424KB

MD5
cfe9e898505ab7ee6363426ebbe47103

SHA1
103e65a8dd5cbfcb47b830573da1c141e566bdd2

SHA256
81ed4a6ffdc3d2afa4daba88da47480b3152fc2e3ba40c07c815eca57c1e8b19

SHA512
d4ee968efccf7979f94f5e35adee6efe48a4c99bf23f14eefbb4beac206ec7c18a619feb4d8e0e1ec7c600abb739dd879335babf063510a2d360b844e70d5904

Download Submit
memory/472-18-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/472-23-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/472-24-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/472-36-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3324-2-0x0000000002200000-0x000000000226F000-memory.dmp

Filesize
444KB

Download
memory/3324-1-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/3324-15-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3324-16-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3324-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3448-39-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3448-40-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3752-49-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing