Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13cac8771d5bdf04a533f9d4af84f8d0aa240a2cfe85603beb9782c5261a4216.exe

  • Size

    1.8MB

  • MD5

    766b871e4a0cb690ef3697fd81f3f2d8

  • SHA1

    ce86761569a375c6dfa22bd5707125b05207e3dd

  • SHA256

    13cac8771d5bdf04a533f9d4af84f8d0aa240a2cfe85603beb9782c5261a4216

  • SHA512

    a32336ad9b4fec2697de85af6404a69f0b9ab0390fb16f7206c2090911afadc60677b72c790e135993048e5663efbbe86b192d020b1644b5ec2db0e8b9d4cc7c

  • SSDEEP

    49152:8o2laJ5uUQi8UU1k60147XalQIhYMNm8w0S/W6:8VaGUQi8UU1kF14TpuKUS/W6

Score
10/10
amadeyevasiontrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13cac8771d5bdf04a533f9d4af84f8d0aa240a2cfe85603beb9782c5261a4216.exe
    "C:\Users\Admin\AppData\Local\Temp\13cac8771d5bdf04a533f9d4af84f8d0aa240a2cfe85603beb9782c5261a4216.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2684-0-0x0000000000E70000-0x0000000001327000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2684-1-0x0000000077970000-0x0000000077972000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2684-2-0x0000000000E70000-0x0000000001327000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2684-3-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-13-0x00000000005B0000-0x00000000005B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-12-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-11-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-10-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-9-0x0000000000560000-0x0000000000561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-8-0x0000000000970000-0x0000000000971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-7-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-6-0x0000000000A10000-0x0000000000A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-5-0x0000000000620000-0x0000000000621000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-4-0x00000000009E0000-0x00000000009E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-15-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-16-0x0000000000B30000-0x0000000000B31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-17-0x0000000000430000-0x0000000000431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-18-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-22-0x0000000000E70000-0x0000000001327000-memory.dmp

    Filesize

    4.7MB

    Download