amadey | 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9

General

Target

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Size

1.8MB
MD5

4fbb379faf60b95bc8187f9e05fe3ec7
SHA1

6ba311ae532033c5afc2c8a2fa0b6d435e882a51
SHA256

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9
SHA512

9c38817b64412d27bf2f2ba58bb207eaa88665a63f3d659139d5e686c12387969790fb33f6aafbe762191763b5f3a8a9dc894ac21381f48ce46a52b6b2d1f758
SSDEEP

24576:vHrHDqdPZRwyv6X6O2FsALnUBNujAWhvPY/ZssOcFnuVH0/uGwwfYvX+58TeSD0r:frHK3v6X6O2FrwBzWmsTAnuVzvuCaV

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Wine	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

pid process

2892 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Drops file in Windows directory 1 IoCs

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

pid process

2892 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

pid process

2892 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

pid	process
2892	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

pid	process
2892	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

pid	process
2892	28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe

C:\Users\Admin\AppData\Local\Temp\28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
"C:\Users\Admin\AppData\Local\Temp\28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2892

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-0-0x0000000000340000-0x00000000007F4000-memory.dmp

Filesize
4.7MB

Download
memory/2892-1-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/2892-2-0x0000000000340000-0x00000000007F4000-memory.dmp

Filesize
4.7MB

Download
memory/2892-3-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/2892-4-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2892-6-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2892-11-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2892-10-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2892-9-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2892-12-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2892-8-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2892-7-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2892-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2892-14-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2892-13-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2892-16-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2892-17-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/2892-21-0x0000000000340000-0x00000000007F4000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads