amadey | decbcf05edc76dd31fbf2e2eefb16305e4086c0b0d8df47e5d4631433e9387f5

Analysis

max time kernel
19s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Size

4.4MB
MD5

81ed47a991b51ac416d56e87a29a9e1e
SHA1

0532b1052beed07bb9243e819b4dd5c3343120eb
SHA256

ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29
SHA512

1ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62
SSDEEP

98304:Weekh63DHMYli6N3ZngCekllw5HON7IZGwTT5MCMBwxQf+0b:Weu3DHJ9RplwxOqEA5MdWxQd

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://185.172.128.5

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1840	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1840	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
1840	ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe
"C:\Users\Admin\AppData\Local\Temp\ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1840
- C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
  "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
  2⤵
  PID:752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3332
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    3⤵
    PID:4376
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      PID:1928
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\815711207184_Desktop.zip' -CompressionLevel Optimal
        5⤵
        
        PID:1964
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    3⤵
    PID:1768

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
832KB

MD5
5d6aa016866c585c028a47339d0a3eb4

SHA1
2a3f5ecc670b22adad727feda9b518787ca8de55

SHA256
94696796af66fa02e663bb8962ab92a766981a8ff9071e403308105c75b9f0e3

SHA512
b3962b2ebfee0e1049043c09fb9c39d74f16f8451848ca8cc4aa0c33e1815f8a888595516c48d8348c21876bf5e0b68ed59c6d3312fb28da05434b8e65f9120e

Download Submit
memory/752-69-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-86-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-90-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-89-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-87-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-88-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-56-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-84-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-85-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-83-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-151-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-70-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-36-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-58-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-57-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-54-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-51-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-38-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-42-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/752-49-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-50-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-52-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-53-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/752-55-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-180-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-158-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1168-157-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1168-162-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1168-169-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-171-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-170-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-175-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-174-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-173-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-172-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1168-176-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1168-177-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1168-178-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1168-179-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-13-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-18-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-35-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-1-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-22-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-21-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-20-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-2-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-0-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-5-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/1840-12-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-14-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-37-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-15-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-19-0x0000000077B24000-0x0000000077B26000-memory.dmp

Filesize
8KB

Download
memory/1840-17-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1840-16-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/1964-108-0x00000207D90E0000-0x00000207D90F0000-memory.dmp

Filesize
64KB

Download
memory/1964-109-0x00000207D90E0000-0x00000207D90F0000-memory.dmp

Filesize
64KB

Download
memory/1964-110-0x00000207D90E0000-0x00000207D90F0000-memory.dmp

Filesize
64KB

Download
memory/1964-133-0x00000207C0F30000-0x00000207C0F3A000-memory.dmp

Filesize
40KB

Download
memory/1964-132-0x00000207D9BE0000-0x00000207D9BF2000-memory.dmp

Filesize
72KB

Download
memory/1964-150-0x00007FFE4DD60000-0x00007FFE4E821000-memory.dmp

Filesize
10.8MB

Download
memory/1964-107-0x00007FFE4DD60000-0x00007FFE4E821000-memory.dmp

Filesize
10.8MB

Download
memory/1964-102-0x00000207C0F40000-0x00000207C0F62000-memory.dmp

Filesize
136KB

Download
memory/2136-188-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-92-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-129-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-130-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-128-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-127-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-126-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-121-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-125-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-122-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-124-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-123-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-120-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-119-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-118-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4728-111-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download
memory/4728-93-0x0000000000400000-0x0000000000FDE000-memory.dmp

Filesize
11.9MB

Download