Overview

overview

10

Static

static

1

Amdau.exe

windows7-x64

10

Amdau.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2023 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Amdau.exe

  • Size

    3.2MB

  • MD5

    c3ee25c18f2c408c9054d9c6d4c1e147

  • SHA1

    80d2395709b713647b199c22fdec5415d3a68052

  • SHA256

    c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0

  • SHA512

    d91a1675ca9a2923020ce244d00da6a9b686240dc7ef50185709ecbc2f6b8f92c371ee94ec277a2d3b0e33704c532d2f8779b39ac9f630b9b40f0794312d72f4

  • SSDEEP

    24576:0cUe92VHXy4fv6hfZQGwSWF6r+tLq9rNE0TR5sTlcJxbTGX+tIonLiMjrWD:rt9L4p7GJEeR51TGX10LPjrWD

Score
10/10
amadeyevasiontrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://45.9.74.182/b7djSDcPcZ/index.php

Attributes
  • install_dir

    f3f10bd848

  • install_file

    bstyoops.exe

  • strings_key

    05986a1cda6dc6caabf469f27fb6c32d

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Amdau.exe
    "C:\Users\Admin\AppData\Local\Temp\Amdau.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Users\Admin\AppData\Local\Temp\1001233051\clip.exe
        "C:\Users\Admin\AppData\Local\Temp\1001233051\clip.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1yg.0.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:1336
          • C:\ProgramData\presepuesto\LEAJ.exe
            "C:\ProgramData\presepuesto\LEAJ.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:2008
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 532
              6⤵
              • Program crash
              PID:560
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 2008
    1⤵
      PID:3412
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:4328
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4876

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\presepuesto\LEAJ.exe
        Filesize

        5.6MB

        MD5

        55a7682ff0b918010481c8daa6b76a32

        SHA1

        e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

        SHA256

        033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

        SHA512

        794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

        Download Submit

      • C:\ProgramData\presepuesto\LEAJ.exe
        Filesize

        5.6MB

        MD5

        55a7682ff0b918010481c8daa6b76a32

        SHA1

        e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

        SHA256

        033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

        SHA512

        794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1001233051\clip.exe
        Filesize

        5.6MB

        MD5

        55a7682ff0b918010481c8daa6b76a32

        SHA1

        e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

        SHA256

        033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

        SHA512

        794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1001233051\clip.exe
        Filesize

        5.6MB

        MD5

        55a7682ff0b918010481c8daa6b76a32

        SHA1

        e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

        SHA256

        033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

        SHA512

        794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1001233051\clip.exe
        Filesize

        5.6MB

        MD5

        55a7682ff0b918010481c8daa6b76a32

        SHA1

        e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

        SHA256

        033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

        SHA512

        794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\s1yg.0.bat
        Filesize

        175B

        MD5

        3eab73df9183af4a56b46c2cb4a6fe13

        SHA1

        34ae2c01fdce84a0edde24d62a28a4ab3c9cb030

        SHA256

        a9bba9c9a29c5ed3c44e44f4312a13e4bafc0c7c1d8ecfc99bced5d2d45420de

        SHA512

        d7a937bd2d02417be8dc637bc36cfc38c1592a2a102d228da7dd3b0a98de6a3c6dd041b9f8ae9bfe847c0170339f10e44f0993e7cbee496ae5b84d59ae0ede1f

        Download Submit

      • memory/32-66-0x0000000005840000-0x0000000005850000-memory.dmp

        Filesize

        64KB

        Download

      • memory/32-5-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-10-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-12-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-14-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-16-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-18-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-20-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-22-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-24-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-26-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-28-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-29-0x0000000005840000-0x0000000005850000-memory.dmp

        Filesize

        64KB

        Download

      • memory/32-30-0x0000000005570000-0x0000000005571000-memory.dmp

        Filesize

        4KB

        Download

      • memory/32-0-0x0000000074F00000-0x00000000756B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/32-2-0x00000000055F0000-0x000000000568C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/32-79-0x0000000074F00000-0x00000000756B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/32-3-0x0000000074F00000-0x00000000756B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/32-1-0x0000000000A20000-0x0000000000D54000-memory.dmp

        Filesize

        3.2MB

        Download

      • memory/32-6-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/32-4-0x00000000030C0000-0x00000000030DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/32-8-0x00000000030C0000-0x00000000030D5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/632-35-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/632-51-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/632-42-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/632-31-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/632-32-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/632-33-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/632-34-0x0000000000400000-0x000000000043B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/2008-87-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2008-83-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2008-92-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2008-93-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2008-94-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2536-65-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2536-72-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2536-64-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2536-63-0x0000000077A14000-0x0000000077A16000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2536-58-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2536-55-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/2536-54-0x0000000000400000-0x0000000001219000-memory.dmp

        Filesize

        14.1MB

        Download

      • memory/4876-95-0x0000027F4D840000-0x0000027F4D850000-memory.dmp

        Filesize

        64KB

        Download