amadey | 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d

Analysis

max time kernel
39s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 03:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Size

1.8MB
MD5

bc5023306fc8985f32a0a9e78156e17e
SHA1

c0548bcd5649f2b2e394fddd2b2e51361096d21c
SHA256

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
SHA512

25d4b98401407d5beb5a57fc5b99bf5ee238db5beb54931a07772dd7e3cf93f7e8ac9a7bee64fad3075aaf50463f1147688fb8fc347980d0f96342c43905f46c
SSDEEP

24576:FgtslEnROL38/C/dS8x9zypcmv2AuFKi03Gua/r6kiLrj57stKvfXNGXlpuPt3:QnY38/8S8Lzr6bi03NbkiLHYK3XYpW

Score

10^/10

amadey evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 1 IoCs

pid	Process
4208	explorgu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorgu.exe

Loads dropped DLL 2 IoCs

pid	Process
4468	rundll32.exe
4028	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5024	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
4208	explorgu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorgu.job	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5024	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
5024	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
4208	explorgu.exe
4208	explorgu.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4468	4208	explorgu.exe	96
PID 4208 wrote to memory of 4468	4208	explorgu.exe	96
PID 4208 wrote to memory of 4468	4208	explorgu.exe	96
PID 4468 wrote to memory of 4028	4468	rundll32.exe	95
PID 4468 wrote to memory of 4028	4468	rundll32.exe	95

C:\Users\Admin\AppData\Local\Temp\888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
"C:\Users\Admin\AppData\Local\Temp\888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4468
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:3280

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:3312

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
1⤵
- Loads dropped DLL
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
  2⤵
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
284KB

MD5
fef778db4cc8c3c34d51b0438c961148

SHA1
3e839f0d36c6c8a4f8ccbc91c18f6ec1c8423c83

SHA256
0ffb3a16597a4dc8a095db745921957e9f7444aa44a74e604dfeb1d2e5d21791

SHA512
742025ec7327ec8e3e4292ca56e2bdf37ee6c5196d4d8c4008b93ba0f914d1ff94a37708de3212b08e116a41a3d11976163cb451aa770efc953e7025c2e34ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
454KB

MD5
20974a7d5ca5709eb0ac4e1ba44722d3

SHA1
bd5fc3dc4157fdf5994499a834038f6451ab4958

SHA256
d145538457630072afc0d8665ceec840f373f89c30a96c2b7e8d3d8694cc2c55

SHA512
eaedd2b6117c4e91760161822405db6438ceb462a4c2853c5c6a533ba68f984e32c7471f73f3f9e62059b44916d2199b98ef094edf71df7159e68b334aa9a5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqhmy0q2.idx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
336KB

MD5
000c61d2da7931881c8b732ed227d4b9

SHA1
880d182b864facbacbc7dd90e24a48ce79a6e44b

SHA256
63cf9e9f91e4ecfb8d331029ebc51368dd5ab31cfda1774a3a37900f97146638

SHA512
3c881113a29a7382eac4737ab19635398594a1befb9e5dde323c8e145a43b7a9dac3fc4a44879909f801a9bf5acc43e59ca82eb1eb35e2e1060594cbda68c3ee

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
169KB

MD5
422a89f442a55dbf9d531462d735b733

SHA1
2cea38133a367c00c81bfe1d278a49a6c37f0dd6

SHA256
36cd6dc89d0a1cd365c43f7a8b4cafafb2304e4ffa626614699177e5bba4c24e

SHA512
2cf6b465cde12c4ff2e132002745ba30f00ee25a39a7f425ee5b138fc4444591a13a57b2a8a397299004483bea31c323b496226fa3352df789258afc0b80984a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
300KB

MD5
59cf7083e17e0e7183d7262a42606a23

SHA1
2af5b57f73c29386f4248b88f2b13e1d548b456b

SHA256
fe297bec694d6b49429db2682fc8d6cd1ec7d7c9a8d1b8821c165f41f66e91b6

SHA512
d58d432b67d85a678debb0fa93739bf6a7286c6b6b15cad2e4d82a15040d27671484427f044d65de7ff6441420074eaa7cefc5a84b6a3527a7f9c953c025c5fd

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
195KB

MD5
4e164e238dbe7913e9b895919a19048d

SHA1
12b2b54e82617b55594730e9aae4b5bcba10cdd2

SHA256
9e49feef6bf9919753fde7ab4908a301d4637ba36c9c01e65e6a584e19af19c2

SHA512
0f20a90cb92b0b12e459841c585b3da5d386bfaae4fa8999c6b2038f037b6a61ffde2405f3248a603267162ceab86709f143741a7a759df8b126ee42455f18b2

Download Submit
memory/4208-21-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4208-82-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-85-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-84-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-83-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-18-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-22-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4208-26-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4208-25-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4208-24-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4208-86-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-23-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4208-27-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4208-20-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4208-19-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-28-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4208-54-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-29-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-81-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-80-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-79-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-78-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-77-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/4208-65-0x0000000000420000-0x00000000008D2000-memory.dmp

Filesize
4.7MB

Download
memory/5008-47-0x000001295C400000-0x000001295C422000-memory.dmp

Filesize
136KB

Download
memory/5008-55-0x000001295C430000-0x000001295C440000-memory.dmp

Filesize
64KB

Download
memory/5008-53-0x000001295C430000-0x000001295C440000-memory.dmp

Filesize
64KB

Download
memory/5008-52-0x00007FFE857D0000-0x00007FFE86291000-memory.dmp

Filesize
10.8MB

Download
memory/5008-56-0x000001295C430000-0x000001295C440000-memory.dmp

Filesize
64KB

Download
memory/5008-58-0x000001295E710000-0x000001295E71A000-memory.dmp

Filesize
40KB

Download
memory/5008-64-0x00007FFE857D0000-0x00007FFE86291000-memory.dmp

Filesize
10.8MB

Download
memory/5008-57-0x000001295EA90000-0x000001295EAA2000-memory.dmp

Filesize
72KB

Download
memory/5024-8-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/5024-1-0x0000000077D64000-0x0000000077D66000-memory.dmp

Filesize
8KB

Download
memory/5024-2-0x00000000007F0000-0x0000000000CA2000-memory.dmp

Filesize
4.7MB

Download
memory/5024-7-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/5024-6-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5024-0-0x00000000007F0000-0x0000000000CA2000-memory.dmp

Filesize
4.7MB

Download
memory/5024-5-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/5024-4-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/5024-3-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/5024-15-0x00000000007F0000-0x0000000000CA2000-memory.dmp

Filesize
4.7MB

Download
memory/5024-9-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/5024-10-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download