Resubmissions
25/01/2025, 23:19
250125-3a9dlavrfq 1025/01/2025, 00:39
250125-azr7dswras 1025/01/2025, 00:32
250125-avsblawpdx 1025/01/2025, 00:29
250125-as5h5swnfv 1004/12/2024, 19:44
241204-yftswatlcj 1028/11/2024, 19:40
241128-ydqnfaxqgy 1020/11/2024, 16:31
241120-t1tw6azjfy 1020/11/2024, 06:05
241120-gtdv5ssnes 1020/11/2024, 06:00
241120-gqchxascje 1020/11/2024, 05:52
241120-gk2kvaxkgn 10Analysis
-
max time kernel
43s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04/12/2024, 19:44
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
amadey
4.19
8fc809
http://nudump.com
http://otyt.ru
http://selltix.org
-
install_dir
b739b37d80
-
install_file
Dctooux.exe
-
strings_key
65bac8d4c26069c29f1fd276f7af33f3
-
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 14 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\hiya.exe"C:\Users\Admin\AppData\Local\Temp\Files\hiya.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.funletters.net/readme.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:734216 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\c1.exe"C:\Users\Admin\AppData\Local\Temp\Files\c1.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\test_again4.exe"C:\Users\Admin\AppData\Local\Temp\Files\test_again4.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe"C:\Users\Admin\AppData\Local\Temp\Files\8fc809.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\china.exe"C:\Users\Admin\AppData\Local\Temp\Files\china.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.funletters.net/readme.htm3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD53cc2d26ddc772c8d2e3411c908e35f15
SHA1fddec67f729d85172ba4b856736555842c81e3d4
SHA256e4aac2a897baa518ceba1cec6692fa6bc2af8f93c1168a7dfe98bf694220aa30
SHA512138542bd9d3840f0ffe9aef70985f897a4a1906cc5c259e59885dfad1340189f23ab83ac343fecaacd587429bf28c6923eef503de8f5b8d3f689f2531c0688fd
-
Filesize
342B
MD54027cae0b4a204849968d409d8eb120f
SHA1348035bf59147775139adcdc14cd36112bdede43
SHA256d1aaaedef36eae6417767cfcbbeeb3c66b3d9cf4c7f11b31c8ed8e2923faad00
SHA5129731091da063fd439504c95680b6757d6cf160ceafcdb80310d2c608cca01c640d5a569981e71ecc4b37db31161d7b293202c49891e47697ad50859652a0d34a
-
Filesize
342B
MD500ce9b5596d74517567ba95e63629819
SHA1d8a91a6da8e82d4fc8529e9adbbffc1ce458ba86
SHA25687d4ffa2b59c2e9b05a57db2a79fb0010d9fb3f0e5b8ba1601c05a38c8de780d
SHA5124c6b3c3cce3dae42fe8cf4f949897aeb6beb247ad28391b45d0152146ec6e46ccbd178f3f87bf241905709ff039597a122109d83454de5558bc4fdd8205a42b7
-
Filesize
342B
MD579f49056999ef417dadd8b1e9d0be503
SHA190e5728960017976c0e009533344de1c26077112
SHA256ecce5664fa4c2a08350d05c02753be73790a2ea4c4ce06df1198e2cbac144fb6
SHA5120afa00b4caab54f9b31dde24d044acae862c5f2dde66b2ff4c7a69e8aa098e41e5d4ccdfbab8964ce0ca5910ee62c5c7822232b78c8b80cc690e42b7fc0c4594
-
Filesize
342B
MD546914adc450897b13c1d912308d899ac
SHA1a249dd5a341e3f9e6242e9b4ea780c877e2cb06d
SHA25677a73d449e834adb78dd015152b895c7018c27506c81763616bd60f9824cafc3
SHA5122479b5db692cf1082bf24715c26c533fa76855e5d67491efd4d164e3fce3956ce0a37871883dc462096242f5f00665489e142ce1accfb7f49e9922d331d38ce0
-
Filesize
342B
MD5a2268028131c7b19dd020c85428e1c17
SHA1728a7f80788316c1e9987d24cd95c64ac1ff600e
SHA256047cf9e7d930afc64042c05d79662cde52f61560f071f1b5bfc4da12f29dc641
SHA512a18c517dd912f56f4d2fec505daa65665eba529bd65ba5d64aa2e9b34a11e8a4069110a58299c4a15ddf8cf0f8331bdcf2eb0ac6f79bf7c7bc6cb42028ec4007
-
Filesize
342B
MD5be14fc3f796e9857bd554f7d0b8e7be9
SHA152f46342b0cf49947ca4754dfac782b35cb642ab
SHA256efcc1e3d6673c56d5c885d452ece8d4fc86e02491870ad17ccfda4b99320d8f3
SHA512fbdb1a95b451f9e305cea36164fa4a014328bcae479426b41648247eb85aa29beeabe552edfb1861bbaef05c92c3677ad37b3bb696ee9b2d102d6fd784901b0f
-
Filesize
342B
MD56157ef0589ae062dd4c40c1b3d690147
SHA17b89793a7dfdd682bda3ec98f2eca49b65d953cb
SHA2567bf6588bb89ce93152f5051ddeea77a53760b165b5b6d0e1a84b5e84c28716f6
SHA512132d1a2a874002e557d405fa9aca86d9aefbd2f49b3adb3a48523711cf304a54476d6ed7bfb9d26dd523457b005169ad8f8a497268e711321d56d59f73def2f5
-
Filesize
342B
MD581c4dfe77a22ce6d765f9d55c22f152c
SHA1e18b1ef8e113d165ceebbc2a78e4eaf484fd4592
SHA2565aece3e3129418ff1dee13b7460c80e093c393be19db732752d9f701a1f47736
SHA5120954ffa28b37a3e1a1dfc459c5141665594b43e57741c3219c4a991306f6ff592ae3275ee4313664023fcbefa498df5bf6d8b0f0fd92b88f3b11358bd0617e4c
-
Filesize
342B
MD59024b98f8ac59255819bbe8ab760e4b1
SHA11e07fe9ea09cffa1975abfbdeba2db982a8ff4e4
SHA2561f63315c8362ee4a2334727f684f2bfb8fb1035a67fd7616554ab17308a4507c
SHA512311084300f699d2a17966161b5e524839de1c139d00add76143bceda1d27c89d6ae092e3f8da7b7886e313a51abfe1418a6d62bbb6fbf82d183c41186afe10c1
-
Filesize
342B
MD5d8a054d83429d8f41e96e50d107775cd
SHA1163303bc07959b2d540d17a67efdddc09a783848
SHA25629c722593f2bd38f7eecb4553825f394cdbd0e6db62adcec6099660c615a3ed6
SHA512bd7d308d74c7244d0446262bda11b3a7fa65e4be487ec1a792cca6d20283b691a945a694e6513c3f2b99f463902dbd7aaf17a79597c64d11751206f16b18e143
-
Filesize
342B
MD586f0861212ac18bdc851d707a43b8102
SHA129608e16f0194aed30451948b3162757dc3c4a1c
SHA2567fdf3beeb0df97a1d742718cfc21d0218fbfa3bccbf491b24a0c466e365a7af0
SHA512201fae89e6bdf841f47ffadfa1e7214ab3fe0fbbdbb8e4dabfa9f1b636dc852b5f55f72b070ddb9aab1db621b300f510d98a944efc4ddc8d6087668a9b42f110
-
Filesize
16KB
MD5c71ba82facae62ff6c615d8ab57e3a37
SHA1809b738ed07b1dd9fac32145918996a45ed57cd1
SHA25607c4c4db853b0e3b6aed4bd5123d7b66e06b41cb085470ede5e2577f69dfb54c
SHA5125812e75e5b59e8681f0f79b42b875f10801e58b354c202ce37005b0134beb14ef54a4972cab37b3679bbe2d3187c70652ba33bfffba8a928b918ed4eb96ce108
-
Filesize
40KB
MD5c039930144c53053075c717cbcd132e9
SHA106f40d886d32054f96335d85fcbc4884078682d4
SHA256c7f2fdac66dee088b86d286cced345ebcd81bca232b77306174ee9cee8ec393a
SHA51224a637eb1b5e6a4837ea7af9dd088aaf28c517596cb4037eee82b49421cd826053f39445cc1a8f5a7f73b4a39bc8e3ebfa65d5c3389dbc3e8e1d57db860b1c55
-
Filesize
32KB
MD55905ab4cd453e26e31ac05ef718d1ae1
SHA16c9be36e57af0fa180aa75cb241fa2c831a197a0
SHA25694c177c5daf41f465d666697b294dbb7cdd42e35291674e84390979c266761dd
SHA5129d458fa6bfa7b97aabb02c540e1dbd64642f4a19e4f308b335d54fa17f8c14d2648c411a1b45d8ea7e9a20ee9f4d4cf2f3b88c961c552233aef25bda8a373d17
-
Filesize
30KB
MD5998edec9996a11819aff421e2ee5e1e3
SHA190047193d7c44a8e4eab95906700b86803d6c37f
SHA25620ebd19a1c157caef50a31872adff8dd41cbb6431086febf3ecb9258f0cd7f6d
SHA51281acd4c860c51451e100230e82071663b0e42451d6bfb11af1b31987f5d8a449f6a2a029a30c35c04f7b219408a15004ef8f20470e2a82389832456af2efda6f
-
Filesize
17KB
MD5fa15586eaf483fc379219ff357869daf
SHA194e9a1b9439a7bbe4b4437b686b4e792bcdd25da
SHA25641c34940beee16fe53fedd15d1c985bdcfe341cab9edafa29b056a1faa2c0cfe
SHA5123f5d8d2ee6656c05141d5601501c34f7bb97d19ec31c209b0c8425d45164bef1040f270b87030f99224828e0cb79bc745f6de5adb07a11ae1f65705115fd2f88
-
Filesize
186KB
MD59a9d0f04991d174f48a1a29b6e7eb07d
SHA1a68a1110ef656696b61179a24859f7a495be80c4
SHA256535423472d5ba24deb4ef1b007b31264d233713666daac405b92fed902d875c8
SHA5124724930f34bc74b9966c538b6f78d5578f0199d1e579f386394df514ec5a4479da8c5dbd49f7b6c0a28d783ade0ce367ccec8cc2af2c0f6885ead916f8a98c01
-
Filesize
8KB
MD51d1f363118c514aff9990124df84315b
SHA1a6f5527d568416d0242d55a59be3091cd0ae8712
SHA256483fecabf2f328b7055686ba1b013f1acf93ca256d982c524149cd86ae784954
SHA512486b0af01f31a88a007706ca2a5d7db9f68bea33433b9a33081a2773baa2047131770800fd3d58ceb0ba6288c5b1e006299ac3947c19c820451f9862efdf2a10
-
Filesize
8KB
MD50a7f3de09f7bcb738dbab04d6862c39c
SHA1916851155eb6e8c05fcf7819dcfd722e828f7a41
SHA256cf8d5d3d9b47076c99b098c24bdf81269d386d5c6df636c7cc73b71c5bb0f9b3
SHA51230b4ef81e0fa82ee75b2f7d96a046e6b927aa591f2d6631f724175c1fce991874941e8308f72bb2b9603d8bb5082ea471e4108c151e44b8ecdee42b901ed7f03
-
Filesize
99KB
MD5696f1aaeca14afdd72cfbca1dda89bef
SHA171f42eb8de48d03877bc8677175c68ae1a41d56e
SHA256b984a5c69c05572d481303ded8901a486de30d25df1849dafcd43699eff177c7
SHA5123b98db6da81beb8043b56447ac1a06415f72f815044db7ffa6c280caaa86401e3eb77f79b77fea94650754213b3abd0c4322f0780a4c97d1518a3cb10bd3321e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
24KB
MD5e667dc95fc4777dfe2922456ccab51e8
SHA163677076ce04a2c46125b2b851a6754aa71de833
SHA2562f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f
SHA512c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef
-
Filesize
432KB
MD5aad42bb76a48e18ab273efef7548363d
SHA10b09fabe2a854ded0c5b9050341eb17ced9f4c09
SHA256f75fbc05bbf3a9d9f9e2b67108f4d54eaf7582d10799385a5656b48ac10e86c6
SHA5125e58548ad6ff2a0237eea4d8a82695eab5031dca24a25c714f614b9e8fac0e90528cda0d80054f447288fcd9166e72729df32956784159b17ec378ae4278f216
-
Filesize
547KB
MD52609215bb4372a753e8c5938cf6001fb
SHA1ef1d238564be30f6080e84170fd2115f93ee9560
SHA2561490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63
SHA5123892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2
-
Filesize
75KB
MD5a95e09168ff4b517c1ffa385206543b5
SHA12af4ec72be606aaae269ef32f8f7b3cb0bfda14b
SHA256d417c5248d33ba5e02b468a08551c5eab4601ec318855ce0d9a0c7fb4103fa4f
SHA51279563c3818ff77400a2f0d80a37682409fc92450eebaf950271a130c3e33de6911be279bd24c1d85a02f8dae22abbec766d2b8e1b0731d75fa61f2bceb27ad2e
-
Filesize
75KB
MD57f0257538089cd55fecc03bb86a1efe4
SHA150850beedb570d80971eaedba25c5ea9ba645feb
SHA2560809c80c42e094b2695efbe1ca0532bc494b40c1fbd5967b05979c2077633e1f
SHA512542e1f179976d4d8b370fd81e7633c6fdb33fe0b596e48170b31a04195f9809dc1a2268b6012f001dcd3ed62b068b8a34acc9a3450f1817206ffb1352447cebc
-
Filesize
354KB
MD5b84e8b628bf7843026f4e5d8d22c3d4f
SHA112e1564ed9b706def7a6a37124436592e4ad0446
SHA256b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28
SHA512080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd
-
Filesize
44KB
MD57d46ea623eba5073b7e3a2834fe58cc9
SHA129ad585cdf812c92a7f07ab2e124a0d2721fe727
SHA2564ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5
SHA512a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
508KB
-
Filesize
1.7MB
-
Filesize
8KB
-
Filesize
504KB
-
Filesize
384KB
-
Filesize
336KB
-
Filesize
476KB
