amadey | 5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38

General

Target

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
Size

491KB
MD5

0a9a2b21fb2a5f8b18d925ca13ea79d0
SHA1

b89399f5dd81295a4177f8abdba72ceb22c57fed
SHA256

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38
SHA512

299becfe791d0cab30d430bf4f67fe7712cd0e6240557c04a2462d592894a2ada5f69de512c1e5b2bb5c54f0873558048befe88b047ee9c04a6bbfceb26d7f56
SSDEEP

6144:gLQRLRusCvkjgDsxe1HfFEKZLfa/MOsqGvZN1GQOBMfjrYwiuA:gaR7Cv2gXtHLfa/M5fIQO+j

Score

10^/10

amadey 8fc809 trojan

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

8fc809

C2

http://nudump.com

http://otyt.ru

http://selltix.org

Attributes

install_dir
b739b37d80
install_file
Dctooux.exe
strings_key
65bac8d4c26069c29f1fd276f7af33f3
url_paths
/forum/index.php

/forum2/index.php

/forum3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

Dctooux.exeDctooux.exeDctooux.exe

pid process

2212 Dctooux.exe
3864 Dctooux.exe
3752 Dctooux.exe
Drops file in Windows directory 1 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

description ioc process

File created C:\Windows\Tasks\Dctooux.job 5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2212	Dctooux.exe
3864	Dctooux.exe
3752	Dctooux.exe

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5024	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
1904	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
2928	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
4888	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
5028	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
3036	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
1248	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
4664	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
1768	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
868	2700	WerFault.exe	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
3448	2212	WerFault.exe	Dctooux.exe
1692	2212	WerFault.exe	Dctooux.exe
4980	2212	WerFault.exe	Dctooux.exe
3408	2212	WerFault.exe	Dctooux.exe
4344	2212	WerFault.exe	Dctooux.exe
1408	2212	WerFault.exe	Dctooux.exe
4612	2212	WerFault.exe	Dctooux.exe
5036	2212	WerFault.exe	Dctooux.exe
4896	2212	WerFault.exe	Dctooux.exe
5024	2212	WerFault.exe	Dctooux.exe
2296	2212	WerFault.exe	Dctooux.exe
1596	2212	WerFault.exe	Dctooux.exe
2096	2212	WerFault.exe	Dctooux.exe
1168	2212	WerFault.exe	Dctooux.exe
1368	2212	WerFault.exe	Dctooux.exe
1812	2212	WerFault.exe	Dctooux.exe
1996	2212	WerFault.exe	Dctooux.exe
3272	3864	WerFault.exe	Dctooux.exe
2000	3752	WerFault.exe	Dctooux.exe
4424	2212	WerFault.exe	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

pid process

2700 5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

pid	process
2700	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe

description	pid	process	target process
PID 2700 wrote to memory of 2212	2700	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe
PID 2700 wrote to memory of 2212	2700	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe
PID 2700 wrote to memory of 2212	2700	5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe	Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 756
2⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 828
2⤵
- Program crash
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 756
2⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 924
2⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 756
2⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 912
2⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1132
2⤵
- Program crash
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1168
2⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1160
2⤵
- Program crash
PID:1768

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 560
3⤵
- Program crash
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 560
3⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 624
3⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 632
3⤵
- Program crash
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 640
3⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 804
3⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 632
3⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 924
3⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 964
3⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 984
3⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1016
3⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 588
3⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1148
3⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1408
3⤵
- Program crash
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1436
3⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1356
3⤵
- Program crash
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1408
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 644
3⤵
- Program crash
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 776
2⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2700 -ip 2700
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2700 -ip 2700
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2700 -ip 2700
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2700 -ip 2700
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2700 -ip 2700
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2700 -ip 2700
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2700 -ip 2700
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2700 -ip 2700
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2700 -ip 2700
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2700 -ip 2700
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2212 -ip 2212
1⤵
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2212 -ip 2212
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2212 -ip 2212
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2212 -ip 2212
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2212 -ip 2212
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2212 -ip 2212
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2212 -ip 2212
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2212 -ip 2212
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2212 -ip 2212
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2212 -ip 2212
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2212 -ip 2212
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2212 -ip 2212
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2212 -ip 2212
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2212 -ip 2212
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2212 -ip 2212
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2212 -ip 2212
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2212 -ip 2212
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 440
2⤵
- Program crash
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3864 -ip 3864
1⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 456
2⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3752 -ip 3752
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2212 -ip 2212
1⤵
PID:384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\204450073126
Filesize
83KB

MD5
056634564ecb43a5f9b943330228d2a2

SHA1
4da306216089312e2a2e0c76fb5f187519ed21ad

SHA256
0ab89d4ff49d9e09c94218ab065391401222c673893898492c43971210e0e236

SHA512
be4af9eb2f3f2d5b0f1d49fde1dc567d4ff839aa5894961a8e562a3bdd930b215192f4a5ca73652f10180d1472a510dd14c2dd7a16240567dde1541446750bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
Filesize
491KB

MD5
0a9a2b21fb2a5f8b18d925ca13ea79d0

SHA1
b89399f5dd81295a4177f8abdba72ceb22c57fed

SHA256
5f7c9b901567da2b14dcdab2bb4b14f80820032ef92340136368ef1a67426f38

SHA512
299becfe791d0cab30d430bf4f67fe7712cd0e6240557c04a2462d592894a2ada5f69de512c1e5b2bb5c54f0873558048befe88b047ee9c04a6bbfceb26d7f56

Download Submit
memory/2212-16-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2212-34-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2212-35-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/2700-1-0x0000000002600000-0x0000000002700000-memory.dmp

Filesize
1024KB

Download
memory/2700-2-0x0000000003FA0000-0x000000000400F000-memory.dmp

Filesize
444KB

Download
memory/2700-3-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2700-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2700-17-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/3752-48-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download
memory/3864-39-0x0000000000400000-0x0000000002397000-memory.dmp

Filesize
31.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads