Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
26-04-2024 19:55
General
-
Target
ee348a4be35465c3b471b068df0e2db5101b0f014a4353806648b4f5892b9c8e.exe
-
Size
1.8MB
-
MD5
1fc3484a05a8d8e94070ef69880aecc0
-
SHA1
5ef6ddcfa261b3cd94e5d8452566a3a1028ed585
-
SHA256
ee348a4be35465c3b471b068df0e2db5101b0f014a4353806648b4f5892b9c8e
-
SHA512
e36d070a39ac397096f39beaedea708a95113363b0e14eac2dfb635d72fda0e7accc6ce02e20d6593b4dd665835e02102da9164c1deda91879b9ddd510ae5dd3
-
SSDEEP
49152:niEs3FYbJD8ytjfjV6iecICBnE1BqqFe2VZ:niv6gytjfjV6YNkUY
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee348a4be35465c3b471b068df0e2db5101b0f014a4353806648b4f5892b9c8e.exe"C:\Users\Admin\AppData\Local\Temp\ee348a4be35465c3b471b068df0e2db5101b0f014a4353806648b4f5892b9c8e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51fc3484a05a8d8e94070ef69880aecc0
SHA15ef6ddcfa261b3cd94e5d8452566a3a1028ed585
SHA256ee348a4be35465c3b471b068df0e2db5101b0f014a4353806648b4f5892b9c8e
SHA512e36d070a39ac397096f39beaedea708a95113363b0e14eac2dfb635d72fda0e7accc6ce02e20d6593b4dd665835e02102da9164c1deda91879b9ddd510ae5dd3
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB