amadey | c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0

Analysis

max time kernel
143s
max time network
120s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
Size

1.8MB
MD5

d90847d0b02df2b08c7a247f2c8cc649
SHA1

e533d2aee3d31ba4e374e947e3f11fe4b79a8c16
SHA256

c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0
SHA512

9fb8b9d680e958e9290240b7a601f69414c0116eb5366e42aacac382b6a31817f72eb50d3581d7bc4b238f95c7cf9d21f559af5db3fd26b741a28ee0336d2b93
SSDEEP

49152:zL+Gl7QhUDBB3A1FttHCnXbbf44pGmLWodWOd:z6Gl76wBVAvXHqrbwLmLnf

Score

10^/10

amadey 4dd39d evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorti.exec72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exeexplorti.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorti.exeexplorti.exec72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exeexplorti.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe

Executes dropped EXE 3 IoCs

Processes:

explorti.exeexplorti.exeexplorti.exe

pid process

4588 explorti.exe
3588 explorti.exe
2732 explorti.exe

pid	process
4588	explorti.exe
3588	explorti.exe
2732	explorti.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorti.exeexplorti.exeexplorti.exec72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exeexplorti.exeexplorti.exeexplorti.exe

pid process

1540 c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
4588 explorti.exe
3588 explorti.exe
2732 explorti.exe
Drops file in Windows directory 1 IoCs

Processes:

c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe

description ioc process

File created C:\Windows\Tasks\explorti.job c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorti.job	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exeexplorti.exeexplorti.exeexplorti.exe

pid	process
1540	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
1540	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
4588	explorti.exe
4588	explorti.exe
3588	explorti.exe
3588	explorti.exe
2732	explorti.exe
2732	explorti.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe

description	pid	process	target process
PID 1540 wrote to memory of 4588	1540	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe	explorti.exe
PID 1540 wrote to memory of 4588	1540	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe	explorti.exe
PID 1540 wrote to memory of 4588	1540	c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe	explorti.exe

C:\Users\Admin\AppData\Local\Temp\c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe
"C:\Users\Admin\AppData\Local\Temp\c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4588

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000006001\d79a55a6b4.exe
Filesize
16KB

MD5
34f1aab554e0c710bde80ff187ed9a88

SHA1
c0f5c78670787771cf708c5229880578c94cb272

SHA256
1303cdb5d2d3ea691560a3623d5113d4b779eaeaa82e5c9529a0a5da7e07102b

SHA512
ea721aaa53ff05d9c5af30d2828a6c9cc8500bf13774edf57801489dee478056bd5ccff6f1e469288cfd5362ba4728600f34ebde580ebf350a101d18a9dfe3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Filesize
1.8MB

MD5
d90847d0b02df2b08c7a247f2c8cc649

SHA1
e533d2aee3d31ba4e374e947e3f11fe4b79a8c16

SHA256
c72cbb4b668f0f56d9df6359e5d391908a9ef5bb21c8f8eb4445be9197c47ef0

SHA512
9fb8b9d680e958e9290240b7a601f69414c0116eb5366e42aacac382b6a31817f72eb50d3581d7bc4b238f95c7cf9d21f559af5db3fd26b741a28ee0336d2b93

Download Submit
memory/1540-17-0x0000000000E90000-0x000000000135B000-memory.dmp

Filesize
4.8MB

Download
memory/1540-3-0x0000000000E90000-0x000000000135B000-memory.dmp

Filesize
4.8MB

Download
memory/1540-5-0x0000000000E90000-0x000000000135B000-memory.dmp

Filesize
4.8MB

Download
memory/1540-2-0x0000000000E91000-0x0000000000EBF000-memory.dmp

Filesize
184KB

Download
memory/1540-0-0x0000000000E90000-0x000000000135B000-memory.dmp

Filesize
4.8MB

Download
memory/1540-1-0x00000000770E6000-0x00000000770E8000-memory.dmp

Filesize
8KB

Download
memory/2732-54-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/3588-32-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/3588-31-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/3588-30-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/3588-29-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-27-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-20-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-26-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-24-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-23-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-22-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-21-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-19-0x0000000000321000-0x000000000034F000-memory.dmp

Filesize
184KB

Download
memory/4588-33-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-25-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-48-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-49-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-50-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-51-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-52-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-18-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-55-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-56-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-57-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download
memory/4588-58-0x0000000000320000-0x00000000007EB000-memory.dmp

Filesize
4.8MB

Download