amadey | 22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
Size

1.8MB
MD5

9f1131b52d56f4674109fb3024622484
SHA1

f52d12d6b2cb20faa8efb2b907acc00ea17b10bb
SHA256

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21
SHA512

3c33640e15fc45006d3ece9282a49f0c7f279062f4317deabacb381dc7e0ee8215faf8b93d93b7c4ad01bd6ed9bb6e0a735d0caff77c44684a4a246e4540d825
SSDEEP

24576:9DtaCLTFYHoOlfbWlScp/D9oO4h/+ay3uIThqNQpLWrzGizkqJrWko3QUKqxcL4i:9DtaCnFq5ZXhi+vQiNriY4Y8mUob

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

188 1736 rundll32.exe
Downloads MZ/PE file

flow	pid	process
188	1736	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 1 IoCs

Processes:

explorgu.exe

pid process

2628 explorgu.exe

pid	process
2628	explorgu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
Key opened	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Wine	explorgu.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1736 rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exeexplorgu.exe

pid process

332 22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
2628 explorgu.exe
Drops file in Windows directory 1 IoCs

Processes:

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1736	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exeexplorgu.exe

pid	process
332	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
332	22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
2628	explorgu.exe
2628	explorgu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 4860 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe

pid process

332 22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe

description	pid	process
Token: SeManageVolumePrivilege	4860	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

explorgu.exerundll32.exe

description	pid	process	target process
PID 2628 wrote to memory of 2324	2628	explorgu.exe	rundll32.exe
PID 2628 wrote to memory of 2324	2628	explorgu.exe	rundll32.exe
PID 2628 wrote to memory of 2324	2628	explorgu.exe	rundll32.exe
PID 2324 wrote to memory of 5004	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 5004	2324	rundll32.exe	rundll32.exe
PID 2628 wrote to memory of 1736	2628	explorgu.exe	rundll32.exe
PID 2628 wrote to memory of 1736	2628	explorgu.exe	rundll32.exe
PID 2628 wrote to memory of 1736	2628	explorgu.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe
"C:\Users\Admin\AppData\Local\Temp\22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:332

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:5004
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1736

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
9f1131b52d56f4674109fb3024622484

SHA1
f52d12d6b2cb20faa8efb2b907acc00ea17b10bb

SHA256
22e4c9489e8ea70cf049a923e4c5684ef452c06478330e92c5aff915c59edd21

SHA512
3c33640e15fc45006d3ece9282a49f0c7f279062f4317deabacb381dc7e0ee8215faf8b93d93b7c4ad01bd6ed9bb6e0a735d0caff77c44684a4a246e4540d825

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
336KB

MD5
7423014bd33d1d590c750e4ea4e38dd3

SHA1
691940ffb1b6ec4b8484ae19a27aa5c8f552504e

SHA256
5c775d12142d92f45770aa4a14ac50cdf352690a62beaba90ca58e7cb4dbbf10

SHA512
d8bac2b825b332a41762421eca6a69e4bea5c5c5984877513c3a5bd28c8ed2eb65403d194e8bdac8b6cf43666fbbb8f0ca51f2b970693c8c2388a8841c661be1

Download Submit
memory/332-6-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/332-4-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/332-5-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/332-0-0x0000000000870000-0x0000000000D17000-memory.dmp

Filesize
4.7MB

Download
memory/332-9-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/332-8-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/332-7-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/332-10-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/332-15-0x0000000000870000-0x0000000000D17000-memory.dmp

Filesize
4.7MB

Download
memory/332-3-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/332-2-0x0000000000870000-0x0000000000D17000-memory.dmp

Filesize
4.7MB

Download
memory/332-1-0x0000000077634000-0x0000000077636000-memory.dmp

Filesize
8KB

Download
memory/2628-27-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2628-35-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-23-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2628-21-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2628-24-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2628-25-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2628-26-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2628-20-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2628-28-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-29-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-30-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-31-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-32-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-33-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-34-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-22-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2628-36-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-37-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-38-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-19-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-99-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-18-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-87-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/2628-84-0x0000000000630000-0x0000000000AD7000-memory.dmp

Filesize
4.7MB

Download
memory/4860-85-0x000001897CE70000-0x000001897CE71000-memory.dmp

Filesize
4KB

Download
memory/4860-83-0x000001897CE70000-0x000001897CE71000-memory.dmp

Filesize
4KB

Download
memory/4860-86-0x000001897CF80000-0x000001897CF81000-memory.dmp

Filesize
4KB

Download
memory/4860-81-0x000001897CE40000-0x000001897CE41000-memory.dmp

Filesize
4KB

Download
memory/4860-65-0x000001897CB40000-0x000001897CB50000-memory.dmp

Filesize
64KB

Download
memory/4860-49-0x000001897CA40000-0x000001897CA50000-memory.dmp

Filesize
64KB

Download