amadey | f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454

Resubmissions

27-06-2024 14:13

240627-rjs77avdmg 10

25-06-2024 23:04

240625-22r3ysyhkh 10

Analysis

max time kernel
83s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240611-fr
resource tags

arch:x64arch:x86image:win10v2004-20240611-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
27-06-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
Size

1.8MB
MD5

381ad58a2d349eb4f1efa241b4f47f3e
SHA1

1561cc54882ced57264cd4357f3fd46039099cf9
SHA256

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454
SHA512

9585252cf0491e01902f16a9eef1e4aa5d97926514dd155973f831721e9e4480069a80c961eedb121d7fef739971b6d8ac4b6b60ee7c410b8907782450f86c18
SSDEEP

49152:7EQpE8UYKkO0tSROV2EpBWoiQJzwOF4fmMUV4jC42d:7EPX8tcOAWeKzMpjC48

Score

10^/10

amadey e76b71 evasion trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe

Executes dropped EXE 2 IoCs

Processes:

axplong.exeaxplong.exe

pid process

460 axplong.exe
5728 axplong.exe

pid	process
460	axplong.exe
5728	axplong.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exef7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Wine	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exeaxplong.exeaxplong.exe

pid process

2820 f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
460 axplong.exe
5728 axplong.exe
Drops file in Windows directory 1 IoCs

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe

description ioc process

File created C:\Windows\Tasks\axplong.job f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exeaxplong.exemsedge.exeaxplong.exe

pid	process
2820	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
2820	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
460	axplong.exe
460	axplong.exe
1116	msedge.exe
1116	msedge.exe
5728	axplong.exe
5728	axplong.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exemsedge.exe

description	pid	process	target process
PID 2820 wrote to memory of 460	2820	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe	axplong.exe
PID 2820 wrote to memory of 460	2820	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe	axplong.exe
PID 2820 wrote to memory of 460	2820	f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe	axplong.exe
PID 4576 wrote to memory of 3172	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3172	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3772	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 1116	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 1116	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe
PID 4576 wrote to memory of 3396	4576	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe
"C:\Users\Admin\AppData\Local\Temp\f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3c0050abhc195h4dc2h97dbhef6a0c5d71b0
1⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbec6446f8,0x7ffbec644708,0x7ffbec644718
2⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,8486492842003774767,16525492555375445297,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
2⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,8486492842003774767,16525492555375445297,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,8486492842003774767,16525492555375445297,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2774b257ff02164f608e1da600eab284

SHA1
a7c487bd37671b934a148a5f9e8a3609cb33cec9

SHA256
8c6e4a7e588238fe99ffe297227c9d8187bc376954aea8a599264450c8e3c4ca

SHA512
782a7ab70e76d343cd5b20e89ed85664377caa5cea89f7848bbff6781a1144658ab83139dbf3012390fe5792dbb528b310a10a624606315a636644be9fa67eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
55948c5d71a7cd8c427eef91eb51e67a

SHA1
0dec3f089f8a02d224c530a417d0f5e3c14d03db

SHA256
6b391030face84e05c23f7140c1f31c02986fa3cf251820903fe35fe9bc33eca

SHA512
891b04ed7dc4d1fc07fae79b314a5ff4186b6acd8119bea34aa252acb1c76e6e33856f4091e9d45193c4ca9f54004e12a37a83b822fff01aec5daadccceaeee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
381ad58a2d349eb4f1efa241b4f47f3e

SHA1
1561cc54882ced57264cd4357f3fd46039099cf9

SHA256
f7a0aff5062d764f6b560b51a8078330c3f9177382bf57d94e7c1ea8cd00a454

SHA512
9585252cf0491e01902f16a9eef1e4aa5d97926514dd155973f831721e9e4480069a80c961eedb121d7fef739971b6d8ac4b6b60ee7c410b8907782450f86c18

Download Submit
\??\pipe\LOCAL\crashpad_4576_UTMDWDRFWFCUDGPC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/460-18-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-77-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-83-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-20-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-19-0x0000000000B01000-0x0000000000B2F000-memory.dmp

Filesize
184KB

Download
memory/460-21-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-22-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-23-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-24-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-26-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-82-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-81-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-76-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/460-75-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/2820-1-0x0000000077964000-0x0000000077966000-memory.dmp

Filesize
8KB

Download
memory/2820-2-0x0000000000861000-0x000000000088F000-memory.dmp

Filesize
184KB

Download
memory/2820-0-0x0000000000860000-0x0000000000D26000-memory.dmp

Filesize
4.8MB

Download
memory/2820-3-0x0000000000860000-0x0000000000D26000-memory.dmp

Filesize
4.8MB

Download
memory/2820-5-0x0000000000860000-0x0000000000D26000-memory.dmp

Filesize
4.8MB

Download
memory/2820-17-0x0000000000860000-0x0000000000D26000-memory.dmp

Filesize
4.8MB

Download
memory/5728-79-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download
memory/5728-80-0x0000000000B00000-0x0000000000FC6000-memory.dmp

Filesize
4.8MB

Download