amadey | 6517199f55774b2971c8af8b4eb795cc9508b0e1931b5e905582e2de906b90c7

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.8MB
MD5

3504d7ad9a89389763f101029b997b50
SHA1

437bba2822cfd5bdf8160e931553627c780ba5da
SHA256

6517199f55774b2971c8af8b4eb795cc9508b0e1931b5e905582e2de906b90c7
SHA512

a5cb80ead43810f76da6eb6fa5d402179c85c0071c55eb81c48ef60ec96b7db9075b0ac3b1356b3e4538f568c0f26f5b805619690d9f15541a7bdcb07738cc48
SSDEEP

49152:vjfr78uR3zRyOTpqJq04aghQXJ4aPaowjpyw:vjP8qZsA0rVXJ4ayc

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

tmp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

tmp.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine tmp.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

tmp.exe

pid process

1664 tmp.exe
Drops file in Windows directory 1 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

1664 tmp.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tmp.exe

pid process

1664 tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine	tmp.exe

pid	process
1664	tmp.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	tmp.exe

pid	process
1664	tmp.exe

pid	process
1664	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1664

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-0-0x0000000000940000-0x0000000000DFC000-memory.dmp

Filesize
4.7MB

Download
memory/1664-1-0x0000000077370000-0x0000000077372000-memory.dmp

Filesize
8KB

Download
memory/1664-2-0x0000000000940000-0x0000000000DFC000-memory.dmp

Filesize
4.7MB

Download
memory/1664-3-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1664-14-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1664-13-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1664-12-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1664-11-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1664-10-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1664-9-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1664-8-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1664-7-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1664-6-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1664-5-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1664-4-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1664-16-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1664-15-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1664-18-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1664-19-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1664-23-0x0000000000940000-0x0000000000DFC000-memory.dmp

Filesize
4.7MB

Download