amadey | 7371d21f531ec5c5ef2b392521f8abd4276a4f8161f4bd2a18969c5ce72cca4b

General

Target

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
Size

491KB
MD5

052e6b664d68958cff0d19ef11286662
SHA1

abe767326cf2188599f6b59863e74ade34e48d73
SHA256

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61
SHA512

93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b
SSDEEP

6144:HN+Le4r9Wm2moCgSBpFLoS7MWh1z4160yiFwb6WZY0M4mEZGDAeOGUI:Eq4rYRfaxYOgq6WZY/

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

2592 Dctooux.exe
3252 Dctooux.exe
4360 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2592	Dctooux.exe
3252	Dctooux.exe
4360	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2392	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
5104	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
3644	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
2336	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
1556	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
2848	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
2140	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
5012	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
1752	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
1520	3784	WerFault.exe	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
3528	2592	WerFault.exe	Dctooux.exe
848	2592	WerFault.exe	Dctooux.exe
1988	2592	WerFault.exe	Dctooux.exe
4512	2592	WerFault.exe	Dctooux.exe
3080	2592	WerFault.exe	Dctooux.exe
440	2592	WerFault.exe	Dctooux.exe
1432	2592	WerFault.exe	Dctooux.exe
1608	2592	WerFault.exe	Dctooux.exe
1084	2592	WerFault.exe	Dctooux.exe
4192	2592	WerFault.exe	Dctooux.exe
640	2592	WerFault.exe	Dctooux.exe
4616	2592	WerFault.exe	Dctooux.exe
924	2592	WerFault.exe	Dctooux.exe
4676	2592	WerFault.exe	Dctooux.exe
516	2592	WerFault.exe	Dctooux.exe
2288	2592	WerFault.exe	Dctooux.exe
724	2592	WerFault.exe	Dctooux.exe
116	3252	WerFault.exe	Dctooux.exe
2568	4360	WerFault.exe	Dctooux.exe
908	2592	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

pid process

3784 314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

pid	process
3784	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe

description	pid	process	target process
PID 3784 wrote to memory of 2592	3784	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe	Dctooux.exe
PID 3784 wrote to memory of 2592	3784	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe	Dctooux.exe
PID 3784 wrote to memory of 2592	3784	314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe
"C:\Users\Admin\AppData\Local\Temp\314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 756
2⤵
- Program crash
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 776
2⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 820
2⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 904
2⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 908
2⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 908
2⤵
- Program crash
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1116
2⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1160
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1188
2⤵
- Program crash
PID:1752

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 552
3⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 580
3⤵
- Program crash
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 584
3⤵
- Program crash
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 660
3⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 668
3⤵
- Program crash
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 720
3⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 888
3⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 924
3⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 888
3⤵
- Program crash
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 932
3⤵
- Program crash
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 888
3⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1020
3⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1180
3⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1396
3⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1372
3⤵
- Program crash
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1332
3⤵
- Program crash
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1464
3⤵
- Program crash
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 892
3⤵
- Program crash
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1280
2⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3784 -ip 3784
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3784 -ip 3784
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3784 -ip 3784
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3784 -ip 3784
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3784 -ip 3784
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3784 -ip 3784
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3784 -ip 3784
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3784 -ip 3784
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2592 -ip 2592
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2592 -ip 2592
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2592 -ip 2592
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2592 -ip 2592
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2592 -ip 2592
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2592 -ip 2592
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2592 -ip 2592
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2592 -ip 2592
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2592 -ip 2592
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2592 -ip 2592
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2592 -ip 2592
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2592 -ip 2592
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2592 -ip 2592
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2592 -ip 2592
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2592 -ip 2592
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2592 -ip 2592
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2592 -ip 2592
1⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 444
2⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3252 -ip 3252
1⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 440
2⤵
- Program crash
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4360 -ip 4360
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2592 -ip 2592
1⤵
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\004059303877
Filesize
81KB

MD5
aac2ace1320e6897085c92855baf462d

SHA1
84d7bd3274aca0f56de6584241fa0a7fea8bab3b

SHA256
0047612e100cf08e79c4b2c585c6605c396971849252688b373b89508967b782

SHA512
a8545220fcea5f5098eba1b27ca1db011bdb9f914763d67b9404b7a222e99582b6ed19c961156218dac3c1845a9b154e0a476035dab87ccb87ce09fe158c8373

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
491KB

MD5
052e6b664d68958cff0d19ef11286662

SHA1
abe767326cf2188599f6b59863e74ade34e48d73

SHA256
314c137a0bb73b688fb855ceb56f0ff129145ab7a573ecaed70dc4bb1c486f61

SHA512
93b273c8bfd6723ecda2867f0793130837bf4b05d640aa89ba3afdee0289ffeb23a5645d684495caa38862a948d83ac66b397973b81970877f761a2e13a0737b

Download Submit
memory/2592-35-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/2592-16-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/2592-36-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/3252-40-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/3784-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3784-19-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3784-18-0x0000000004370000-0x00000000043DF000-memory.dmp

Filesize
444KB

Download
memory/3784-17-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download
memory/3784-2-0x0000000004370000-0x00000000043DF000-memory.dmp

Filesize
444KB

Download
memory/3784-1-0x0000000002790000-0x0000000002890000-memory.dmp

Filesize
1024KB

Download
memory/4360-49-0x0000000000400000-0x0000000002767000-memory.dmp

Filesize
35.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads