Malware Analysis Report

2025-08-05 21:02

Sample ID 240328-cpakpsda3y
Target 4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe
SHA256 4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22
Tags
amadey evasion trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22

Threat Level: Known bad

The file 4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan spyware stealer

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads local data of messenger clients

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 02:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 02:14

Reported

2024-03-28 02:17

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe

"C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe"

Network

N/A

Files

memory/624-0-0x0000000001220000-0x00000000016D3000-memory.dmp

memory/624-1-0x00000000776B0000-0x00000000776B2000-memory.dmp

memory/624-2-0x0000000001220000-0x00000000016D3000-memory.dmp

memory/624-4-0x0000000000E60000-0x0000000000E61000-memory.dmp

memory/624-3-0x0000000000E40000-0x0000000000E41000-memory.dmp

memory/624-6-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/624-5-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/624-8-0x0000000000E30000-0x0000000000E31000-memory.dmp

memory/624-7-0x0000000000460000-0x0000000000461000-memory.dmp

memory/624-10-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/624-9-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/624-12-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/624-11-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/624-13-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/624-14-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/624-15-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/624-16-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/624-18-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/624-19-0x0000000001080000-0x0000000001081000-memory.dmp

memory/624-23-0x0000000001220000-0x00000000016D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 02:14

Reported

2024-03-28 02:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3460 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2528 wrote to memory of 3828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2528 wrote to memory of 3828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3828 wrote to memory of 4472 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3828 wrote to memory of 4472 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 3828 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3828 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3460 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3460 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe

"C:\Users\Admin\AppData\Local\Temp\4404db31fa92a0ed3c3f8578f3f1d3992428f84b5b5aba4572acd39d194e8a22.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 122.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
GB 172.217.169.74:443 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/3892-0-0x0000000000730000-0x0000000000BE3000-memory.dmp

memory/3892-1-0x0000000077C34000-0x0000000077C36000-memory.dmp

memory/3892-2-0x0000000000730000-0x0000000000BE3000-memory.dmp

memory/3892-3-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/3892-5-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/3892-4-0x0000000004F10000-0x0000000004F11000-memory.dmp

memory/3892-6-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/3892-7-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/3892-8-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/3892-9-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/3892-10-0x0000000004F50000-0x0000000004F51000-memory.dmp

memory/3892-15-0x0000000000730000-0x0000000000BE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 00491c484745d9a9a4732adf272f4600
SHA1 08d3c7b67912f527940bb835b65af23d3049382a
SHA256 e65370bbea636eef8c896cbbd13796f139af910c9e0e156d17ddaa75d00592e1
SHA512 4612983e3ad5f2b7e5c78be2ac2e4ad879c829a89c02386f5f374b11ab3eeb447c27bdd7f215cbe0d36cf3c2426413562e3d2a22cdf51f827883de05d2a0302d

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 9c18bcd8581022c566d0e244b12b2226
SHA1 4befb7c2c033159d560ae5c73cbd683d4f8e2352
SHA256 dcdb1f54e1e231aa7f039c9bb0b261f54c70f07064a62a1084c3047697b108cf
SHA512 763d7a455d02da1b6902db6f21ac95dafaac7cf27a1aa650d972b384e867b06ccb989f22b3fe938ec5dc041bcc866332714ba564a8597af5458c5367ad995d43

memory/3460-18-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-19-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-20-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/3460-21-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/3460-22-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/3460-23-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/3460-24-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/3460-26-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/3460-25-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/3460-27-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/3460-28-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/3460-29-0x00000000000E0000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 16bfad66fcdd1716f47e3345bd0dcd6f
SHA1 50a2ea644fb9be60277c1a310cf39a767c3fdaf9
SHA256 4b11966fe30d57794ca430135eb1729c9d0e5d552e86198d70e71a3723b1fa56
SHA512 b5f7b10b181a3b0b3d269a96436a6d57965f2270a1effb60ef54cddb1a6f496f0a7bc5fa4d1505683050d35c6f128036aa5bbf073658e474402b8afe6e5f0871

memory/1388-42-0x0000026D62AC0000-0x0000026D62AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtdjwxma.r2g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1388-52-0x00007FFC3B8F0000-0x00007FFC3C3B1000-memory.dmp

memory/1388-53-0x0000026D62AB0000-0x0000026D62AC0000-memory.dmp

memory/1388-54-0x0000026D62AB0000-0x0000026D62AC0000-memory.dmp

memory/3460-55-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/1388-56-0x0000026D62E30000-0x0000026D62E42000-memory.dmp

memory/1388-57-0x0000026D4A980000-0x0000026D4A98A000-memory.dmp

memory/1388-63-0x00007FFC3B8F0000-0x00007FFC3C3B1000-memory.dmp

memory/3460-64-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-65-0x00000000000E0000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/3460-77-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-78-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-79-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-80-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-81-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-82-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-83-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-84-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-85-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-86-0x00000000000E0000-0x0000000000593000-memory.dmp

memory/3460-87-0x00000000000E0000-0x0000000000593000-memory.dmp