amadey | f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6

General

Target

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
Size

432KB
MD5

aad42bb76a48e18ab273efef7548363d
SHA1

0b09fabe2a854ded0c5b9050341eb17ced9f4c09
SHA256

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6
SHA512

5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216
SSDEEP

6144:bnnUuLs75ZGyaragZ/IUY3F8reluB2BmxYNVGhi/H/h31lDNa/N:znUuLs75YyaraGtreQIBcwVZ/h3/B4N

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

1020 Dctooux.exe
4956 Dctooux.exe
1016 Dctooux.exe
1588 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1020	Dctooux.exe
4956	Dctooux.exe
1016	Dctooux.exe
1588	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4592	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
1232	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
2948	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
8	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
748	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
4236	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
4708	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
3364	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
636	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
3504	1572	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
3472	1020	WerFault.exe	Dctooux.exe
2812	1020	WerFault.exe	Dctooux.exe
2164	1020	WerFault.exe	Dctooux.exe
940	1020	WerFault.exe	Dctooux.exe
1124	1020	WerFault.exe	Dctooux.exe
5016	1020	WerFault.exe	Dctooux.exe
2768	1020	WerFault.exe	Dctooux.exe
400	1020	WerFault.exe	Dctooux.exe
5032	1020	WerFault.exe	Dctooux.exe
3080	1020	WerFault.exe	Dctooux.exe
1620	1020	WerFault.exe	Dctooux.exe
1232	1020	WerFault.exe	Dctooux.exe
3884	1020	WerFault.exe	Dctooux.exe
5116	1020	WerFault.exe	Dctooux.exe
4664	1020	WerFault.exe	Dctooux.exe
5028	1020	WerFault.exe	Dctooux.exe
3900	1020	WerFault.exe	Dctooux.exe
512	4956	WerFault.exe	Dctooux.exe
2732	1016	WerFault.exe	Dctooux.exe
4640	1020	WerFault.exe	Dctooux.exe
4140	1588	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

pid process

1572 f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

pid	process
1572	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

description	pid	process	target process
PID 1572 wrote to memory of 1020	1572	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe	Dctooux.exe
PID 1572 wrote to memory of 1020	1572	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe	Dctooux.exe
PID 1572 wrote to memory of 1020	1572	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
"C:\Users\Admin\AppData\Local\Temp\f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 756
2⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 800
2⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 856
2⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 904
2⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 860
2⤵
- Program crash
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 944
2⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1144
2⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1248
2⤵
- Program crash
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1328
2⤵
- Program crash
PID:636

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 560
3⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 580
3⤵
- Program crash
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 588
3⤵
- Program crash
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 652
3⤵
- Program crash
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 664
3⤵
- Program crash
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 736
3⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 888
3⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 908
3⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 948
3⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 932
3⤵
- Program crash
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 956
3⤵
- Program crash
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1000
3⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1164
3⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1408
3⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1340
3⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1352
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1348
3⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 892
3⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1496
2⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1572 -ip 1572
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1572 -ip 1572
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1572 -ip 1572
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1572 -ip 1572
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1572 -ip 1572
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1572 -ip 1572
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1572 -ip 1572
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1572 -ip 1572
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1572 -ip 1572
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1572 -ip 1572
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1020 -ip 1020
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1020 -ip 1020
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1020 -ip 1020
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1020 -ip 1020
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1020 -ip 1020
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1020 -ip 1020
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1020 -ip 1020
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1020 -ip 1020
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1020 -ip 1020
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1020 -ip 1020
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1020 -ip 1020
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1020 -ip 1020
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1020 -ip 1020
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1020 -ip 1020
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1020 -ip 1020
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1020 -ip 1020
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1020 -ip 1020
1⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 440
2⤵
- Program crash
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4956 -ip 4956
1⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 448
2⤵
- Program crash
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1016 -ip 1016
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1020 -ip 1020
1⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 440
2⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1588 -ip 1588
1⤵
PID:4240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080292272204
Filesize
74KB

MD5
c5975cc40c5bd35147aa9bc697b5557c

SHA1
5f30b5541b5053d48fcba0d33413443813720759

SHA256
0e272199ca2713fa824b58a04a266d57cd8b850f211b4799ba22b9255a7077f8

SHA512
8ead61470f5e98624d9fd32817be087ebff953a3ef6d901d51a06f808df0ed329c86523a7109dcc50efb2ec8facbe13cd3daae9292d9ff0a94a131910095dadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
432KB

MD5
aad42bb76a48e18ab273efef7548363d

SHA1
0b09fabe2a854ded0c5b9050341eb17ced9f4c09

SHA256
f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6

SHA512
5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216

Download Submit
memory/1016-48-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1020-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1020-40-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1020-39-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1572-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1572-15-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1572-1-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1572-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1572-16-0x0000000000700000-0x000000000076F000-memory.dmp

Filesize
444KB

Download
memory/1572-2-0x0000000000700000-0x000000000076F000-memory.dmp

Filesize
444KB

Download
memory/1588-56-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4956-26-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4956-38-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads