Overview

overview

10

Static

static

3

7652ee2b1f...4f.exe

windows7-x64

10

7652ee2b1f...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe

  • Size

    1.8MB

  • MD5

    fd99bc3307c9d14045736fd8dbcc06df

  • SHA1

    556af12bac58f37ed315a8567f9b0b3d181571cf

  • SHA256

    7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f

  • SHA512

    d19154f5fa63bc8bf5fa2f3b24ada0a1fa1be890b5972fe984a8dcf1735020baf6c831aae0739a55855078bc7ab2017623107cb297d361abd760a2f84696258e

  • SSDEEP

    49152:XNfmZUvuyENu82GjpFezMtr46xkif1KwIjiNB:dfgUvutu2jpYzMq6x31KwJN

Score
10/10
amadeyevasiontrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
    "C:\Users\Admin\AppData\Local\Temp\7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2148-0-0x00000000002D0000-0x0000000000790000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/2148-1-0x0000000077AB0000-0x0000000077AB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2148-2-0x00000000002D0000-0x0000000000790000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/2148-13-0x0000000000980000-0x0000000000981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-12-0x0000000002380000-0x0000000002381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-14-0x00000000009A0000-0x00000000009A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-11-0x0000000000A60000-0x0000000000A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-10-0x0000000000A70000-0x0000000000A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-9-0x0000000000A40000-0x0000000000A41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-8-0x0000000000990000-0x0000000000991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-7-0x00000000008E0000-0x00000000008E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-6-0x00000000023D0000-0x00000000023D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-5-0x0000000000A50000-0x0000000000A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-4-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-16-0x00000000009F0000-0x00000000009F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-17-0x00000000023E0000-0x00000000023E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-18-0x00000000008F0000-0x00000000008F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-19-0x0000000002640000-0x0000000002641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2148-23-0x00000000002D0000-0x0000000000790000-memory.dmp
    Filesize

    4.8MB

    Download