amadey | e0957dd3e196e2d0d56eaac0a14cb73244a457b97ebac112affb0708f500d815

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
Size

2.4MB
MD5

b3badd1cd2cba4f587bd6737d34d3569
SHA1

bc229f10399c3482df1faa98bf7074a4440e82a5
SHA256

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd
SHA512

9ab73372ed54e468d90bda23279f983db8ca2486a41718fcba4e3b2931cf40c3f6e82c1fbe3cce695057d0fca241d40cda9b272a0e1cfc0ac4fdf1a5aad05b49
SSDEEP

49152:rh/Kr1IeHpgDfCeER3nsxnC+Nisx8rAmTYQ:rVKBpHeDXERcM+sAW

Score

10^/10

amadey stealc 4dd39d default discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

CAKKEGDGCG.exeIDGIJEGHDA.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CAKKEGDGCG.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IDGIJEGHDA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CAKKEGDGCG.exeexplorti.exeIDGIJEGHDA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CAKKEGDGCG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CAKKEGDGCG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IDGIJEGHDA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IDGIJEGHDA.exe

Executes dropped EXE 4 IoCs

Processes:

CAKKEGDGCG.exeIDGIJEGHDA.exeexplorti.exe132979ba26.exe

pid process

1064 CAKKEGDGCG.exe
1244 IDGIJEGHDA.exe
1724 explorti.exe
880 132979ba26.exe

pid	process
1064	CAKKEGDGCG.exe
1244	IDGIJEGHDA.exe
1724	explorti.exe
880	132979ba26.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

CAKKEGDGCG.exeIDGIJEGHDA.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	CAKKEGDGCG.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	IDGIJEGHDA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine	explorti.exe

Loads dropped DLL 6 IoCs

Processes:

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.execmd.execmd.exeCAKKEGDGCG.exeexplorti.exe

pid process

2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2740 cmd.exe
1664 cmd.exe
1064 CAKKEGDGCG.exe
1724 explorti.exe
1724 explorti.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exeCAKKEGDGCG.exeexplorti.exeIDGIJEGHDA.exe132979ba26.exe

pid	process
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
1064	CAKKEGDGCG.exe
1724	explorti.exe
1244	IDGIJEGHDA.exe
880	132979ba26.exe

Drops file in Windows directory 1 IoCs

Processes:

CAKKEGDGCG.exe

description ioc process

File created C:\Windows\Tasks\explorti.job CAKKEGDGCG.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorti.job	CAKKEGDGCG.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exeCAKKEGDGCG.exeexplorti.exeIDGIJEGHDA.exe

pid	process
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
1064	CAKKEGDGCG.exe
1724	explorti.exe
1244	IDGIJEGHDA.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

CAKKEGDGCG.exe

pid process

1064 CAKKEGDGCG.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe132979ba26.exe

pid process

2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
880 132979ba26.exe

pid	process
1064	CAKKEGDGCG.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.execmd.execmd.exeCAKKEGDGCG.exeexplorti.exe

description	pid	process	target process
PID 2460 wrote to memory of 2740	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2460 wrote to memory of 2740	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2460 wrote to memory of 2740	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2460 wrote to memory of 2740	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2740 wrote to memory of 1064	2740	cmd.exe	CAKKEGDGCG.exe
PID 2740 wrote to memory of 1064	2740	cmd.exe	CAKKEGDGCG.exe
PID 2740 wrote to memory of 1064	2740	cmd.exe	CAKKEGDGCG.exe
PID 2740 wrote to memory of 1064	2740	cmd.exe	CAKKEGDGCG.exe
PID 2460 wrote to memory of 1664	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2460 wrote to memory of 1664	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2460 wrote to memory of 1664	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 2460 wrote to memory of 1664	2460	9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe	cmd.exe
PID 1664 wrote to memory of 1244	1664	cmd.exe	IDGIJEGHDA.exe
PID 1664 wrote to memory of 1244	1664	cmd.exe	IDGIJEGHDA.exe
PID 1664 wrote to memory of 1244	1664	cmd.exe	IDGIJEGHDA.exe
PID 1664 wrote to memory of 1244	1664	cmd.exe	IDGIJEGHDA.exe
PID 1064 wrote to memory of 1724	1064	CAKKEGDGCG.exe	explorti.exe
PID 1064 wrote to memory of 1724	1064	CAKKEGDGCG.exe	explorti.exe
PID 1064 wrote to memory of 1724	1064	CAKKEGDGCG.exe	explorti.exe
PID 1064 wrote to memory of 1724	1064	CAKKEGDGCG.exe	explorti.exe
PID 1724 wrote to memory of 880	1724	explorti.exe	132979ba26.exe
PID 1724 wrote to memory of 880	1724	explorti.exe	132979ba26.exe
PID 1724 wrote to memory of 880	1724	explorti.exe	132979ba26.exe
PID 1724 wrote to memory of 880	1724	explorti.exe	132979ba26.exe

C:\Users\Admin\AppData\Local\Temp\9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
"C:\Users\Admin\AppData\Local\Temp\9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe
"C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\1000006001\132979ba26.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\132979ba26.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDGIJEGHDA.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\IDGIJEGHDA.exe
"C:\Users\Admin\AppData\Local\Temp\IDGIJEGHDA.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000006001\132979ba26.exe
Filesize
2.4MB

MD5
3a56a5f933e6b97840d88c99bc445f7b

SHA1
2406c6ebe491b5d3660b66922d90f250eeabe5fe

SHA256
40f2617cfc50b6e9db64c830f38e25cca0d2bd2b2d27f155cdce68ed6c6b26fd

SHA512
31a48b0e84b47527a1dafac792d831aa57d94adf826d947ac293a31c058e8f0054ceba4eabfa608829fc9b9608a844069b44298e4bdfe4c29ee8cee01ade765b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe
Filesize
1.8MB

MD5
71dd514c0a569e5b41474454618814de

SHA1
a169c976a62bafb43d6513edd0dba801118c9eff

SHA256
ecb8a5d642b1895d92da0f2574168d86795a3cbb4c5646ae7e3623c4af36e9c8

SHA512
df57b220c0e39536e12fcf9dfe3de64035315112b46d2223944b3e35fc74da07cd3c9927b29186dedb9adf1e17ced55667dd2b0f6624fb1e946bdfa658daa006

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/880-113-0x0000000000E00000-0x00000000019E9000-memory.dmp

Filesize
11.9MB

Download
memory/880-115-0x0000000000E00000-0x00000000019E9000-memory.dmp

Filesize
11.9MB

Download
memory/1064-68-0x0000000000B20000-0x0000000000FE2000-memory.dmp

Filesize
4.8MB

Download
memory/1064-67-0x0000000000B21000-0x0000000000B4F000-memory.dmp

Filesize
184KB

Download
memory/1064-66-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1064-90-0x0000000007010000-0x00000000074D2000-memory.dmp

Filesize
4.8MB

Download
memory/1064-65-0x0000000000B20000-0x0000000000FE2000-memory.dmp

Filesize
4.8MB

Download
memory/1064-89-0x0000000000B20000-0x0000000000FE2000-memory.dmp

Filesize
4.8MB

Download
memory/1064-74-0x0000000000B20000-0x0000000000FE2000-memory.dmp

Filesize
4.8MB

Download
memory/1244-93-0x0000000000FC0000-0x0000000001482000-memory.dmp

Filesize
4.8MB

Download
memory/1244-79-0x0000000000FC0000-0x0000000001482000-memory.dmp

Filesize
4.8MB

Download
memory/1664-77-0x00000000020F0000-0x00000000025B2000-memory.dmp

Filesize
4.8MB

Download
memory/1664-118-0x00000000020F0000-0x00000000025B2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-116-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-117-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-126-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-125-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-124-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-123-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-91-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-121-0x0000000006C00000-0x00000000077E9000-memory.dmp

Filesize
11.9MB

Download
memory/1724-122-0x0000000006C00000-0x00000000077E9000-memory.dmp

Filesize
11.9MB

Download
memory/1724-120-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/1724-111-0x0000000006C00000-0x00000000077E9000-memory.dmp

Filesize
11.9MB

Download
memory/1724-112-0x0000000006C00000-0x00000000077E9000-memory.dmp

Filesize
11.9MB

Download
memory/1724-119-0x0000000001030000-0x00000000014F2000-memory.dmp

Filesize
4.8MB

Download
memory/2460-37-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2460-0-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2460-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2460-34-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-35-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-36-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-72-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-38-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-39-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-40-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download
memory/2460-46-0x00000000008E0000-0x00000000014D6000-memory.dmp

Filesize
12.0MB

Download