amadey | 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8

Analysis

max time kernel
147s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Size

1.9MB
MD5

518e327059f195dc6e0e2a026990e62c
SHA1

d5a16e477a3fc0b0ec5cce0a8e4a4bff94b387c8
SHA256

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8
SHA512

f472bffca620e2c404b9bd5e3ee8baa235f03c1a2a1000cf0d64163ea4b55664fc58970276dc5859267c29579014c7e49231028cf94e104c5c092fdc4e862dab
SSDEEP

24576:IcciOyv8l3Mr2BM/bLZmjG+VX+X0WI7pLGWGnHf/DTWCU13WqR4ou/7yqyqFeFjf:9c88l3Mr2BMTlmh515rCqvgyqgMIw

Score

10^/10

amadey stealc 4dd39d default evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

pid process

2708 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Drops file in Windows directory 1 IoCs

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

description ioc process

File created C:\Windows\Tasks\explorti.job 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

pid process

2708 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
2708 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

pid process

2708 0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

pid	process
2708	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

description	ioc	process
File created	C:\Windows\Tasks\explorti.job	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

pid	process
2708	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
2708	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

pid	process
2708	0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe

C:\Users\Admin\AppData\Local\Temp\0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe
"C:\Users\Admin\AppData\Local\Temp\0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2708

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
2⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\1000006001\c1fd5c5f8d.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\c1fd5c5f8d.exe"
3⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
4⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe
"C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
5⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFHDGDGIID.exe"
4⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\c1fd5c5f8d.exe
Filesize
2.4MB

MD5
102aa72dbd8fd873b3ac34eb95563b03

SHA1
6117b69f7aa1fecf3e01be7ae3716080f4e0c861

SHA256
bfa7a505e80c6729f6c3259f5a17fd32a3c48a54c49330fd21adda4bf7a93238

SHA512
b117022a0da5ae0f0873a13e6f63bed840da8258e5839bffdd2be9e5a465edf7f412e95e9ee62dc052c9ee25a08007e1414ab9e6f4ce5590f747974cc5d76714

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Filesize
1.9MB

MD5
518e327059f195dc6e0e2a026990e62c

SHA1
d5a16e477a3fc0b0ec5cce0a8e4a4bff94b387c8

SHA256
0f6ff2ba7a215d193ab1c49307dcc81e9ee7b1cd2d92246394a44d697e7aa8b8

SHA512
f472bffca620e2c404b9bd5e3ee8baa235f03c1a2a1000cf0d64163ea4b55664fc58970276dc5859267c29579014c7e49231028cf94e104c5c092fdc4e862dab

Download Submit
memory/1020-124-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-126-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-136-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-17-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-19-0x0000000000DE1000-0x0000000000E0F000-memory.dmp

Filesize
184KB

Download
memory/1020-20-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-22-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-21-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-114-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-116-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-134-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-133-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-129-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-105-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-128-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-127-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-125-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-115-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-117-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-135-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-120-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-118-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/1020-119-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/2444-108-0x0000000000550000-0x000000000114C000-memory.dmp

Filesize
12.0MB

Download
memory/2444-38-0x0000000000550000-0x000000000114C000-memory.dmp

Filesize
12.0MB

Download
memory/2444-39-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2708-5-0x0000000000BF0000-0x00000000010CD000-memory.dmp

Filesize
4.9MB

Download
memory/2708-0-0x0000000000BF0000-0x00000000010CD000-memory.dmp

Filesize
4.9MB

Download
memory/2708-1-0x0000000077A24000-0x0000000077A26000-memory.dmp

Filesize
8KB

Download
memory/2708-2-0x0000000000BF1000-0x0000000000C1F000-memory.dmp

Filesize
184KB

Download
memory/2708-3-0x0000000000BF0000-0x00000000010CD000-memory.dmp

Filesize
4.9MB

Download
memory/2708-18-0x0000000000BF0000-0x00000000010CD000-memory.dmp

Filesize
4.9MB

Download
memory/2812-123-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/2812-122-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/3256-131-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/3256-132-0x0000000000DE0000-0x00000000012BD000-memory.dmp

Filesize
4.9MB

Download
memory/4816-113-0x0000000000E10000-0x00000000012ED000-memory.dmp

Filesize
4.9MB

Download
memory/4816-112-0x0000000000E10000-0x00000000012ED000-memory.dmp

Filesize
4.9MB

Download