Overview

overview

10

Static

static

1

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-02-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    595KB

  • MD5

    63d9528b6667199d22c482f15643ab31

  • SHA1

    6b6ee0d6d1d661dc3806b653757c5fa8fbc7fd36

  • SHA256

    7c94846904eeffd843980d64ba0eee3b8a81a52aeb60b5a5195bf7b426e4a443

  • SHA512

    1bcf34c21d452db4212358d5ba10339b1d8c42ceda80741affdd54f2bc6dac876e10d72b583e7e7df65d47d9d4f95184b38f7b51963e82afba34d8540dc44e58

  • SSDEEP

    12288:gh1Fk70TnvjcU72Em20lUIIgp05m/x979RE/UzIB8Irh:mk70TrcUSEHIIghREMyld

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes
  • install_dir

    4d0ab15804

  • install_file

    chrosha.exe

  • strings_key

    1a9519d7b465e1f4880fa09a6162d768

  • url_paths

    /enigma/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:3324
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 600
          3⤵
          • Program crash
          PID:232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324
      1⤵
        PID:1068

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3324-9-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3324-17-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3324-12-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3324-11-0x0000000000400000-0x000000000046C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3572-5-0x0000000004E60000-0x0000000005404000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3572-6-0x0000000004D90000-0x0000000004E0E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/3572-1-0x00000000751A0000-0x0000000075950000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3572-3-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-4-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-13-0x0000000002790000-0x0000000004790000-memory.dmp

        Filesize

        32.0MB

        Download

      • memory/3572-2-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-16-0x00000000751A0000-0x0000000075950000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3572-0-0x0000000004C70000-0x0000000004CEE000-memory.dmp

        Filesize

        504KB

        Download