amadey | 5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
Size

491KB
MD5

0a9a2b21fb2a5f8b18d925ca13ea79d0
SHA1

b89399f5dd81295a4177f8abdba72ceb22c57fed
SHA256

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38
SHA512

299becfe791d0cab30d430bf4f67fe7712cd0e6240557c04a2462d592894a2ada5f69de512c1e5b2bb5c54f0873558048befe88b047ee9c04a6bbfceb26d7f56
SSDEEP

6144:gLQRLRusCvkjgDsxe1HfFEKZLfa/MOsqGvZN1GQOBMfjrYwiuA:gaR7Cv2gXtHLfa/M5fIQO+j

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

Dctooux.exe

pid process

2540 Dctooux.exe

pid	process
2540	Dctooux.exe

Loads dropped DLL 2 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

pid	process
2972	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
2972	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

pid process

2972 5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

description	pid	process	target process
PID 2972 wrote to memory of 2540	2972	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe
PID 2972 wrote to memory of 2540	2972	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe
PID 2972 wrote to memory of 2540	2972	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe
PID 2972 wrote to memory of 2540	2972	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\297530677122
Filesize
69KB

MD5
b59798973f105a59263976d6452a4506

SHA1
2ebd409eb4ff7e6ca40fb2d5513df476a3dfbfe4

SHA256
46d679a3084913326668c20419f91e485d9108ad530106919175233b075131de

SHA512
95da17dff5a33e7505e44d9f8e3deab6d3033e2e99dd41c8293358a3cd8747c563ff5871bcaaff1f5a77fb0e4e7273b72081cd2aed4b7a0ebb5fea09ff572ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
491KB

MD5
0a9a2b21fb2a5f8b18d925ca13ea79d0

SHA1
b89399f5dd81295a4177f8abdba72ceb22c57fed

SHA256
5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38

SHA512
299becfe791d0cab30d430bf4f67fe7712cd0e6240557c04a2462d592894a2ada5f69de512c1e5b2bb5c54f0873558048befe88b047ee9c04a6bbfceb26d7f56

Download Submit
memory/2540-28-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2540-36-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2972-1-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2972-2-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2972-17-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2972-18-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download