amadey | 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3

General

Target

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Size

1.9MB
MD5

a3783c56ec85a68ad5ac12797df4eac8
SHA1

8b44c5479c06c0835fd29ce1c5d3638ec67ffe7e
SHA256

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3
SHA512

89017cc01b725ca4e579043be0d9e79733a6a07e36aabb83e015685335060724e3183e8dfb56325f577d1083e84064124d02f46f2093fbcb9772aef789d1d4c0
SSDEEP

49152:Uwro4ryC5nX7ekg0lN92bn5NgUQH+Kfj4u:UrC5rnL92bn5NgN

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exeexplorha.exe21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

39 1136 rundll32.exe
Downloads MZ/PE file

flow	pid	process
39	1136	rundll32.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorha.exeexplorha.exeexplorha.exe21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	explorha.exe

Executes dropped EXE 3 IoCs

Processes:

explorha.exeexplorha.exeexplorha.exe

pid process

4832 explorha.exe
3120 explorha.exe
3988 explorha.exe

pid	process
4832	explorha.exe
3120	explorha.exe
3988	explorha.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Software\Wine	explorha.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1136 rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exeexplorha.exeexplorha.exeexplorha.exe

pid process

3356 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
4832 explorha.exe
3120 explorha.exe
3988 explorha.exe
Drops file in Windows directory 1 IoCs

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

description ioc process

File created C:\Windows\Tasks\explorha.job 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1136	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exeexplorha.exeexplorha.exeexplorha.exe

pid	process
3356	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
3356	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
4832	explorha.exe
4832	explorha.exe
3120	explorha.exe
3120	explorha.exe
3988	explorha.exe
3988	explorha.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

pid process

3356 21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exeexplorha.exerundll32.exe

description	pid	process	target process
PID 3356 wrote to memory of 4832	3356	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe	explorha.exe
PID 3356 wrote to memory of 4832	3356	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe	explorha.exe
PID 3356 wrote to memory of 4832	3356	21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe	explorha.exe
PID 4832 wrote to memory of 4544	4832	explorha.exe	rundll32.exe
PID 4832 wrote to memory of 4544	4832	explorha.exe	rundll32.exe
PID 4832 wrote to memory of 4544	4832	explorha.exe	rundll32.exe
PID 4544 wrote to memory of 5088	4544	rundll32.exe	rundll32.exe
PID 4544 wrote to memory of 5088	4544	rundll32.exe	rundll32.exe
PID 4832 wrote to memory of 1136	4832	explorha.exe	rundll32.exe
PID 4832 wrote to memory of 1136	4832	explorha.exe	rundll32.exe
PID 4832 wrote to memory of 1136	4832	explorha.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe
"C:\Users\Admin\AppData\Local\Temp\21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
PID:5088

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1136

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
Filesize
1.9MB

MD5
a3783c56ec85a68ad5ac12797df4eac8

SHA1
8b44c5479c06c0835fd29ce1c5d3638ec67ffe7e

SHA256
21c97b7886d56372292bf660056ce0ab83a6229afb23eb166caeb09f1927d5a3

SHA512
89017cc01b725ca4e579043be0d9e79733a6a07e36aabb83e015685335060724e3183e8dfb56325f577d1083e84064124d02f46f2093fbcb9772aef789d1d4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\b371549de9.exe
Filesize
784KB

MD5
792d9d5fc949a1bbeac96d722e586637

SHA1
45dc8d107c29e7cd9e3bd20b6b74a778b7b2da75

SHA256
bb055fa9dcbe7169427158d4a9d94cdb63da8263627859549ba0948e61421f29

SHA512
a31e49adf6d9f8a5c3977f375e22b94117205a8f00abe92379020a81254393e1c9322ea574696e8fe3e42613f0b3bbf4664b60b91799941b14e8e2fcae09bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
48KB

MD5
93f22941dfd1f09624d3faf917b3fbbe

SHA1
cf67702839d92930a7c9a83da906ca2914136eba

SHA256
8591cb7aaaf51dd400dc75059883f2bedcf6e2b1207a308c7eac948b1f30717c

SHA512
89156f9213be81e0f4ab03bb94f7e405eb53c14993113740179aa8f00116abad8a6ac9e9b2345ba2258d1adfb0ce715a864f2bbe27cd87e84e66acbb65de0329

Download Submit
memory/3120-47-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3120-46-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/3120-45-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3120-40-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/3120-48-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/3120-41-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/3120-44-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/3120-43-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3120-42-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3356-9-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3356-11-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/3356-0-0x0000000000320000-0x00000000007F5000-memory.dmp

Filesize
4.8MB

Download
memory/3356-1-0x0000000077D64000-0x0000000077D66000-memory.dmp

Filesize
8KB

Download
memory/3356-2-0x0000000000320000-0x00000000007F5000-memory.dmp

Filesize
4.8MB

Download
memory/3356-3-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3356-24-0x0000000000320000-0x00000000007F5000-memory.dmp

Filesize
4.8MB

Download
memory/3356-4-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/3356-5-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/3356-6-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3356-7-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3356-8-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3356-10-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3988-94-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/3988-98-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/3988-89-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/3988-90-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/3988-97-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3988-96-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3988-95-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3988-93-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3988-92-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3988-91-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/4832-25-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-38-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-49-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-50-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-37-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-65-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-36-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-75-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-35-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-86-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-87-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-34-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/4832-33-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/4832-32-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/4832-31-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4832-30-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/4832-29-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4832-26-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4832-28-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4832-27-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4832-23-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-99-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-100-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-101-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-102-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download
memory/4832-103-0x00000000003B0000-0x0000000000885000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads