amadey | 856c2c32026447fcb65a04b3c0d5e7905c57387e6060ac5d2a2d48e96ec0c8fd

General

Target

ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
Size

1.3MB
MD5

db04aa6e158c5d52c20fc855f5285905
SHA1

822416dfa3f094aa6776ed0cad77fb9083db29a3
SHA256

ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
SHA512

cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
SSDEEP

24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ

Score

10^/10

amadey 1cc3fe discovery trojan

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

1cc3fe

C2

http://vitantgroup.com

Attributes

install_dir
431a343abc
install_file
Dctooux.exe
strings_key
5a2387e2bfef84adb686c856b4155237
url_paths
/xmlrpc.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe

Executes dropped EXE 5 IoCs

pid	Process
4360	Dctooux.exe
1060	Dctooux.exe
3348	Dctooux.exe
1588	Dctooux.exe
4776	Dctooux.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

pid	Process
4696	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
4360	Dctooux.exe
4360	Dctooux.exe
1060	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
3348	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
1588	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4360	Dctooux.exe
4776	Dctooux.exe
4360	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dctooux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dctooux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dctooux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dctooux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dctooux.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4696	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4696	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
4360	Dctooux.exe
1060	Dctooux.exe
3348	Dctooux.exe
1588	Dctooux.exe
4776	Dctooux.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4360	4696	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe	82
PID 4696 wrote to memory of 4360	4696	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe	82
PID 4696 wrote to memory of 4360	4696	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe	82

C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
"C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4360

C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\050598569159

Filesize
84KB

MD5
3e11a0b11657f2f0d6b2c6adb3ed5cd9

SHA1
542c67ae40937f87be95005bf06ed0e5b74dcbd3

SHA256
1f22cbb7b1643752df6a08cdc6ee55bec441d58ed7353e2f74fcd1d20eb352c9

SHA512
88534e0c04a8dc4b2b96b1363f53157c05ec9d08e77369f042b26c11c3f499bb0a98320ad0859be946be7626c899337730047a52c9aff46490e351edbd1ca46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe

Filesize
1.3MB

MD5
db04aa6e158c5d52c20fc855f5285905

SHA1
822416dfa3f094aa6776ed0cad77fb9083db29a3

SHA256
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f

SHA512
cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff

Download Submit
C:\Users\Admin\AppData\Roaming\bfbcc7a80c10a7\cred64.dll

Filesize
4KB

MD5
4e653011b0816964e96864fd603ec27e

SHA1
d8d85e603fcae956d09e1df473b3f895ef884e4c

SHA256
75eeeb5f50e05375e8d16d6a788cd401785483147b13479fbc0433dc2200a12b

SHA512
7e54fe9877137be7b8c8259f41e5827f7900332c968e579b6c6b052b39a8f832d9beb2463c4b1756c076e2f8eb48e43779eafb4fb498f0df067734cfa683a0da

Download Submit
memory/1060-39-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/1588-83-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/3348-65-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-27-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-66-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-102-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-98-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-28-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-29-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-15-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-14-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-40-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-48-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-49-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-50-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-51-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-61-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-88-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-16-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-67-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-68-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-69-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-70-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-80-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-87-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-84-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-85-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4360-86-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download
memory/4696-1-0x00000000003A0000-0x0000000000779000-memory.dmp

Filesize
3.8MB

Download
memory/4696-2-0x0000000000691000-0x0000000000779000-memory.dmp

Filesize
928KB

Download
memory/4696-0-0x00000000003A0000-0x0000000000779000-memory.dmp

Filesize
3.8MB

Download
memory/4696-17-0x00000000003A0000-0x0000000000779000-memory.dmp

Filesize
3.8MB

Download
memory/4776-101-0x00000000000B0000-0x0000000000489000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing