Overview

overview

10

Static

static

3

3deb44deca...71.exe

windows7-x64

10

3deb44deca...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2024 07:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3deb44decaf4c0c6bae78a603f2b4a71.exe

  • Size

    1.8MB

  • MD5

    3deb44decaf4c0c6bae78a603f2b4a71

  • SHA1

    b9ee88f8b78e5d392b48b6a911d5529308173568

  • SHA256

    0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b

  • SHA512

    eb4b9ab5423e818cedcbbc8b731948b5075df5768b57503b423cd49f10514b218c624feb66ba98ad57a624e00cf16fd04b73162e89cae5d7a5dbe8339f9c778b

  • SSDEEP

    49152:un5E5pxdMwL/kxgLj/jPRdFRrRUvpVuvAexy0C:eE5pM8sxgCBVmAexy0C

Score
10/10
amadeyevasiontrojan

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://185.215.113.32

Attributes
  • install_dir

    00c07260dc

  • install_file

    explorgu.exe

  • strings_key

    461809bd97c251ba0c0c8450c7055f1d

  • url_paths

    /yandex/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3deb44decaf4c0c6bae78a603f2b4a71.exe
    "C:\Users\Admin\AppData\Local\Temp\3deb44decaf4c0c6bae78a603f2b4a71.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:384
  • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3628
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
      Filesize

      1.0MB

      MD5

      610a18faf19c82768fd76d0853090419

      SHA1

      346c469df269c084b22a2b9bb640a72415f61a00

      SHA256

      3f1ba5e9bef2f0c17b43a95d5ffde07457e6098555b950413d9e3793d904c022

      SHA512

      fccfa5ae6edd574499f517373268427e048876c1072d0dc85614972a601f6eabc6505f9837ff7e8061a6fedcc5a3a2db0bb6642936221938405f1e0ce26bba41

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
      Filesize

      768KB

      MD5

      1182fde4fa59b181c2a03466f2785b18

      SHA1

      a008033b74556669a3972cefbbba0a430c7086d0

      SHA256

      73e4bc132f8c84ab50dac5bff102c1b8be9e1b8f576c32a128b356a109e57478

      SHA512

      bdc7362b6d76ef864d00970e1c000456b0aa10c9b3695139cd90be3d8f414423475e8e9f5bc5ed0f85bc0ad3ed15d08072c277d03b3f96929c6557aec65634ff

      Download Submit

    • memory/384-8-0x0000000004C30000-0x0000000004C31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-9-0x0000000004C80000-0x0000000004C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-4-0x0000000004C50000-0x0000000004C51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-5-0x0000000004C90000-0x0000000004C91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-6-0x0000000004C20000-0x0000000004C21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-7-0x0000000004C40000-0x0000000004C41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-0-0x0000000000E60000-0x0000000001319000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/384-3-0x0000000004C60000-0x0000000004C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-11-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-10-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/384-13-0x0000000000E60000-0x0000000001319000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/384-17-0x0000000000E60000-0x0000000001319000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/384-2-0x0000000000E60000-0x0000000001319000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/384-1-0x0000000077A44000-0x0000000077A46000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3628-23-0x0000000005850000-0x0000000005851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-31-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-20-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-28-0x0000000005880000-0x0000000005881000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-27-0x0000000005830000-0x0000000005831000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-26-0x0000000005840000-0x0000000005841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-25-0x0000000005820000-0x0000000005821000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-24-0x0000000005890000-0x0000000005891000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-22-0x0000000005860000-0x0000000005861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-29-0x00000000058B0000-0x00000000058B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-30-0x00000000058A0000-0x00000000058A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3628-21-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-32-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-33-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-34-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-35-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-36-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-37-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-38-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-39-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-40-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3628-41-0x0000000000F60000-0x0000000001419000-memory.dmp

      Filesize

      4.7MB

      Download