Malware Analysis Report

2024-11-30 23:24

Sample ID 231013-ysv7gafd2v
Target NEAS.28ba42affc32f55c7ba5bcea219cae20.exe
SHA256 bfaf0cfd1a1e072b98697fe0058006009933c17a6669fca19f490b021b93ba3f
Tags
amadey systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bfaf0cfd1a1e072b98697fe0058006009933c17a6669fca19f490b021b93ba3f

Threat Level: Known bad

The file NEAS.28ba42affc32f55c7ba5bcea219cae20.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc persistence trojan

Amadey family

Amadey

SystemBC

Downloads MZ/PE file

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-13 20:03

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 20:03

Reported

2023-10-13 21:02

Platform

win7-20230831-en

Max time kernel

153s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe"

Signatures

Amadey

trojan amadey

SystemBC

trojan systembc

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\fveapibase.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000009060\\fveapibase.dll, rundll" C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll, rundll

Network

Country Destination Domain Proto
US 8.8.8.8:53 cncdevelopment.org udp
US 188.114.96.0:80 cncdevelopment.org tcp
US 188.114.96.0:80 cncdevelopment.org tcp
US 8.8.8.8:53 gcdnbabl3global.rakudotek.fun udp
US 188.114.97.0:443 gcdnbabl3global.rakudotek.fun tcp

Files

C:\Users\Admin\AppData\Local\Temp\185155662718

MD5 5ed88a409c57799a16ba1a8a5957c112
SHA1 288caaefc496bbfee0ea69b263d892bb63ebe909
SHA256 b6a35f44202fcece7e46cca8558a2d7f30a52e6357387a6968af50e2063bf0f7
SHA512 e86307e56b34a6601186520622c57b640514a89d3332611738be88c9ad2fb032ab72b9f2f6e800400fa06befada776ac91e290d287500c8040e3f1025ea5cfa2

C:\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll

MD5 6f288920336f1a1d2aa03622f02461a5
SHA1 f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a
SHA256 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad
SHA512 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0

C:\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll

MD5 6f288920336f1a1d2aa03622f02461a5
SHA1 f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a
SHA256 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad
SHA512 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0

\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll

MD5 6f288920336f1a1d2aa03622f02461a5
SHA1 f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a
SHA256 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad
SHA512 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0

\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll

MD5 6f288920336f1a1d2aa03622f02461a5
SHA1 f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a
SHA256 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad
SHA512 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0

\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll

MD5 6f288920336f1a1d2aa03622f02461a5
SHA1 f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a
SHA256 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad
SHA512 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0

memory/2772-34-0x0000000010000000-0x00000000100BC000-memory.dmp

\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll

MD5 6f288920336f1a1d2aa03622f02461a5
SHA1 f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a
SHA256 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad
SHA512 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0

memory/2772-37-0x0000000010000000-0x00000000100BC000-memory.dmp

memory/2772-38-0x0000000010000000-0x00000000100BC000-memory.dmp

memory/2772-40-0x0000000000270000-0x0000000000350000-memory.dmp

memory/2772-39-0x00000000000B0000-0x00000000000B4000-memory.dmp

memory/2772-36-0x0000000010000000-0x00000000100BC000-memory.dmp

memory/2772-42-0x00000000000B0000-0x00000000000B4000-memory.dmp

memory/2772-43-0x0000000000270000-0x0000000000350000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 20:03

Reported

2023-10-13 21:02

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe"

Signatures

Amadey

trojan amadey

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 cncdevelopment.org udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 188.114.96.0:80 cncdevelopment.org tcp
US 188.114.96.0:80 cncdevelopment.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\890696111233

MD5 d5844bb8869090cbe82ed92f1a906c1f
SHA1 058faf9e59ef3b14addce2a60d87ade7eb421142
SHA256 fe2072ab1238ba62fbd3a6fc67fcd256be705c5e5e9f821df545bcdef6fde06a
SHA512 cd5e077b5b08e7db33b96e88174dbad71bcf7052caa9e0c01049c81243b1745a2c5ff9d7099654e5d405374b55412f2c244e0a302092b52626f1e3f691eb20ef