amadey | f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6

General

Target

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
Size

432KB
MD5

aad42bb76a48e18ab273efef7548363d
SHA1

0b09fabe2a854ded0c5b9050341eb17ced9f4c09
SHA256

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6
SHA512

5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216
SSDEEP

6144:bnnUuLs75ZGyaragZ/IUY3F8reluB2BmxYNVGhi/H/h31lDNa/N:znUuLs75YyaraGtreQIBcwVZ/h3/B4N

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exeDctooux.exe

pid process

3144 Dctooux.exe
832 Dctooux.exe
1804 Dctooux.exe
2344 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3144	Dctooux.exe
832	Dctooux.exe
1804	Dctooux.exe
2344	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

Program crash 31 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2768	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
3396	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
4556	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
4996	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
4428	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
2288	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
1772	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
772	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
872	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
4916	4876	WerFault.exe	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
1852	3144	WerFault.exe	Dctooux.exe
1928	3144	WerFault.exe	Dctooux.exe
1876	3144	WerFault.exe	Dctooux.exe
3572	3144	WerFault.exe	Dctooux.exe
4552	3144	WerFault.exe	Dctooux.exe
4992	3144	WerFault.exe	Dctooux.exe
5036	3144	WerFault.exe	Dctooux.exe
4056	3144	WerFault.exe	Dctooux.exe
412	3144	WerFault.exe	Dctooux.exe
4792	3144	WerFault.exe	Dctooux.exe
3520	3144	WerFault.exe	Dctooux.exe
2740	3144	WerFault.exe	Dctooux.exe
4968	3144	WerFault.exe	Dctooux.exe
5016	3144	WerFault.exe	Dctooux.exe
1516	3144	WerFault.exe	Dctooux.exe
4272	3144	WerFault.exe	Dctooux.exe
3464	3144	WerFault.exe	Dctooux.exe
1924	832	WerFault.exe	Dctooux.exe
3556	1804	WerFault.exe	Dctooux.exe
4280	3144	WerFault.exe	Dctooux.exe
2172	2344	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

pid process

4876 f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

pid	process
4876	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe

description	pid	process	target process
PID 4876 wrote to memory of 3144	4876	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe	Dctooux.exe
PID 4876 wrote to memory of 3144	4876	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe	Dctooux.exe
PID 4876 wrote to memory of 3144	4876	f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe
"C:\Users\Admin\AppData\Local\Temp\f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 776
2⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 824
2⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 876
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 948
2⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 952
2⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 876
2⤵
- Program crash
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1020
2⤵
- Program crash
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1020
2⤵
- Program crash
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1132
2⤵
- Program crash
PID:872

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 588
3⤵
- Program crash
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 628
3⤵
- Program crash
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 668
3⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 716
3⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 724
3⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 864
3⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 656
3⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 964
3⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1000
3⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 740
3⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1004
3⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1048
3⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1212
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1452
3⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1404
3⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1484
3⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1504
3⤵
- Program crash
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 660
3⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1284
2⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4876 -ip 4876
1⤵
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4876 -ip 4876
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4876 -ip 4876
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4876 -ip 4876
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4876 -ip 4876
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4876 -ip 4876
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4876 -ip 4876
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4876 -ip 4876
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4876 -ip 4876
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4876 -ip 4876
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3144 -ip 3144
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3144 -ip 3144
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3144 -ip 3144
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3144 -ip 3144
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3144 -ip 3144
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3144 -ip 3144
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3144 -ip 3144
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3144 -ip 3144
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3144 -ip 3144
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3144 -ip 3144
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3144 -ip 3144
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3144 -ip 3144
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3144 -ip 3144
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3144 -ip 3144
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 472
2⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 832 -ip 832
1⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 488
2⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1804 -ip 1804
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3144 -ip 3144
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 476
2⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2344 -ip 2344
1⤵
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\474490143322
Filesize
73KB

MD5
dcf8124fd9a7fc68f61a73bf178cfc10

SHA1
247594a7fc503748a2dafcfc8c6b75ff3572d791

SHA256
e845d9336dcc218bea7ba60ecb5fc4ddcda4ef06e54aecd7329da2d77b366291

SHA512
6100e00afe61d9c90d76c21ae408d333f2aa2f256fbf5bc6aa3dcb94641fb53feac24617a5382925d7463a4fb3b03f30d93d43a956412ff3fcaa130ab87251b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
432KB

MD5
aad42bb76a48e18ab273efef7548363d

SHA1
0b09fabe2a854ded0c5b9050341eb17ced9f4c09

SHA256
f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6

SHA512
5e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216

Download Submit
memory/832-28-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/832-29-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1804-50-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2344-60-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-30-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-19-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-20-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-21-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-31-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-36-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-44-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4876-15-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4876-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4876-2-0x00000000006E0000-0x000000000074F000-memory.dmp

Filesize
444KB

Download
memory/4876-16-0x00000000006E0000-0x000000000074F000-memory.dmp

Filesize
444KB

Download
memory/4876-1-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/4876-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing