amadey | 823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d

Analysis

max time kernel
145s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
21-04-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
Size

1.9MB
MD5

eedc88ccaf938adb4b5128e211c55eb5
SHA1

a1554e4765df6e2baa66f6396aae8e33f341233e
SHA256

823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d
SHA512

1e6453711c967f843f2946f968b9b2a342c52a4dd16e4718c17b78da67938f44b61495055f592d6734ac550bb45b0f7d53e08a670b397c311a47c153c703e9f1
SSDEEP

49152:GT65ZwN9fsgFJPRuylfdSsYhj80yaOC+ZvQkYaWQ:/5mPRRbdYsan+2kft

Score

10^/10

amadey evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3400	rundll32.exe
4	4308	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe

Executes dropped EXE 1 IoCs

pid	Process
4608	chrosha.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
Key opened	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Wine	chrosha.exe

Loads dropped DLL 3 IoCs

pid	Process
476	rundll32.exe
3400	rundll32.exe
4308	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4144	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
4608	chrosha.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\chrosha.job	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4144	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
4144	823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
4608	chrosha.exe
4608	chrosha.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
3400	rundll32.exe
4380	powershell.exe
4380	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 476	4608	chrosha.exe	82
PID 4608 wrote to memory of 476	4608	chrosha.exe	82
PID 4608 wrote to memory of 476	4608	chrosha.exe	82
PID 476 wrote to memory of 3400	476	rundll32.exe	83
PID 476 wrote to memory of 3400	476	rundll32.exe	83
PID 3400 wrote to memory of 4036	3400	rundll32.exe	84
PID 3400 wrote to memory of 4036	3400	rundll32.exe	84
PID 3400 wrote to memory of 4380	3400	rundll32.exe	86
PID 3400 wrote to memory of 4380	3400	rundll32.exe	86
PID 4608 wrote to memory of 4308	4608	chrosha.exe	88
PID 4608 wrote to memory of 4308	4608	chrosha.exe	88
PID 4608 wrote to memory of 4308	4608	chrosha.exe	88

C:\Users\Admin\AppData\Local\Temp\823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe
"C:\Users\Admin\AppData\Local\Temp\823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\344820275820_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4380
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Filesize
1.9MB

MD5
eedc88ccaf938adb4b5128e211c55eb5

SHA1
a1554e4765df6e2baa66f6396aae8e33f341233e

SHA256
823774d5493d1f7718d5e0c1eee4eee0381c7c5d1ec469bc00a7e0b155c7714d

SHA512
1e6453711c967f843f2946f968b9b2a342c52a4dd16e4718c17b78da67938f44b61495055f592d6734ac550bb45b0f7d53e08a670b397c311a47c153c703e9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dggfyacu.xps.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
memory/4144-5-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4144-3-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/4144-8-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4144-7-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4144-6-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/4144-9-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4144-10-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4144-15-0x0000000000020000-0x00000000004F6000-memory.dmp

Filesize
4.8MB

Download
memory/4144-4-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/4144-2-0x0000000000020000-0x00000000004F6000-memory.dmp

Filesize
4.8MB

Download
memory/4144-0-0x0000000000020000-0x00000000004F6000-memory.dmp

Filesize
4.8MB

Download
memory/4144-1-0x0000000077C26000-0x0000000077C28000-memory.dmp

Filesize
8KB

Download
memory/4380-55-0x0000025BE19C0000-0x0000025BE19D2000-memory.dmp

Filesize
72KB

Download
memory/4380-43-0x0000025BE17E0000-0x0000025BE1802000-memory.dmp

Filesize
136KB

Download
memory/4380-62-0x00007FFD71F20000-0x00007FFD729E2000-memory.dmp

Filesize
10.8MB

Download
memory/4380-56-0x0000025BE19A0000-0x0000025BE19AA000-memory.dmp

Filesize
40KB

Download
memory/4380-53-0x0000025BE16A0000-0x0000025BE16B0000-memory.dmp

Filesize
64KB

Download
memory/4380-52-0x0000025BE16A0000-0x0000025BE16B0000-memory.dmp

Filesize
64KB

Download
memory/4380-51-0x00007FFD71F20000-0x00007FFD729E2000-memory.dmp

Filesize
10.8MB

Download
memory/4608-54-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-24-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4608-41-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-28-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-21-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/4608-27-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4608-26-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/4608-25-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4608-20-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4608-23-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4608-19-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-22-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4608-63-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-18-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-75-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-76-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-77-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-78-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-79-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-80-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-81-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download
memory/4608-82-0x0000000000070000-0x0000000000546000-memory.dmp

Filesize
4.8MB

Download