amadey | ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f

General

Target

dctooux.exe
Size

1.3MB
MD5

db04aa6e158c5d52c20fc855f5285905
SHA1

822416dfa3f094aa6776ed0cad77fb9083db29a3
SHA256

ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
SHA512

cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
SSDEEP

24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ

Score

10^/10

amadey 1cc3fe discovery trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

1cc3fe

C2

http://vitantgroup.com

Attributes

install_dir
431a343abc
install_file
Dctooux.exe
strings_key
5a2387e2bfef84adb686c856b4155237
url_paths
/xmlrpc.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Executes dropped EXE 1 IoCs

pid	Process
2200	Dctooux.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	dctooux.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2304	dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe
2200	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	dctooux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dctooux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2304	dctooux.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	dctooux.exe
2200	Dctooux.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2200	2304	dctooux.exe	31
PID 2304 wrote to memory of 2200	2304	dctooux.exe	31
PID 2304 wrote to memory of 2200	2304	dctooux.exe	31
PID 2304 wrote to memory of 2200	2304	dctooux.exe	31

C:\Users\Admin\AppData\Local\Temp\dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\dctooux.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\692679935401

Filesize
76KB

MD5
d0d3737382097820459d3f59b2be9847

SHA1
58b1ddbafd7a177bd27e6b9c53868d83f62c1c6f

SHA256
d9cd740f912d5fa0a8eb8534afad8328cc8282d3c0f4e5399eb28f4be5ab324a

SHA512
c2a7f36127f60414e9ee320dd2e1c01dedee9e4c49ee17b3d22cf727bd7cb0f0c101befef819afc73f6a49d520210137fc420230f7d9c3ccc7093feb1fd60b80

Download Submit
C:\Users\Admin\AppData\Roaming\bfbcc7a80c10a7\cred64.dll

Filesize
4KB

MD5
2ab2b95648425526a8d2b7f8781999aa

SHA1
c02e6233b55e349b14b30bcaffec72f0c9eaa0e9

SHA256
540824e960f36c4f3355b68a8821f996cedfdf11ef55f7537ec608fdf4a8e4d9

SHA512
527c1f20dde744780d662a7d6537e1917285132b8de81adb2e480bf3bfc535668901fe18098070e469334a7be1ca6ec980f15c4ba07875f2630b3e09d92bf161

Download Submit
\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe

Filesize
1.3MB

MD5
db04aa6e158c5d52c20fc855f5285905

SHA1
822416dfa3f094aa6776ed0cad77fb9083db29a3

SHA256
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f

SHA512
cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff

Download Submit
memory/2200-15-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-63-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-18-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-17-0x0000000000BB1000-0x0000000000C99000-memory.dmp

Filesize
928KB

Download
memory/2200-72-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-71-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-66-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-65-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-30-0x0000000000BB1000-0x0000000000C99000-memory.dmp

Filesize
928KB

Download
memory/2200-31-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-32-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-64-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-40-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-48-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-49-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-50-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-51-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-61-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2200-62-0x00000000008C0000-0x0000000000C99000-memory.dmp

Filesize
3.8MB

Download
memory/2304-4-0x0000000000370000-0x0000000000749000-memory.dmp

Filesize
3.8MB

Download
memory/2304-1-0x0000000000370000-0x0000000000749000-memory.dmp

Filesize
3.8MB

Download
memory/2304-2-0x0000000000661000-0x0000000000749000-memory.dmp

Filesize
928KB

Download
memory/2304-12-0x00000000049B0000-0x0000000004D89000-memory.dmp

Filesize
3.8MB

Download
memory/2304-16-0x0000000000370000-0x0000000000749000-memory.dmp

Filesize
3.8MB

Download
memory/2304-0-0x0000000000370000-0x0000000000749000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing