Resubmissions
08-05-2024 17:38
240508-v78vbshh68 1007-05-2024 20:46
240507-zkn9mafa5t 1007-05-2024 15:51
240507-tazpqagb25 1001-05-2024 23:14
240501-28cxlsca92 10Analysis
-
max time kernel
175s -
max time network
177s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
08-05-2024 17:38
General
-
Target
65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
-
Size
1.9MB
-
MD5
cf02058ce59cb0d1f9e9f3146316717f
-
SHA1
9c276c5d673ad974c0c49e55be5e1952100bbc56
-
SHA256
65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
-
SHA512
5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7
-
SSDEEP
49152:V3/bnL0qZ+XLHP19pmfybjyCIaIzRGuyW2/iC2Xxx9lB:VjnLnYXx90abbI3Dy/iC2Xr
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.20
C2
http://193.233.132.139
Attributes
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe"C:\Users\Admin\AppData\Local\Temp\65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UnprotectWatch.cmd" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UnprotectWatch.cmd" "1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeFilesize
1.9MB
MD5cf02058ce59cb0d1f9e9f3146316717f
SHA19c276c5d673ad974c0c49e55be5e1952100bbc56
SHA25665b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
SHA5125a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7
-
memory/1908-70-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2052-39-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2052-37-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-34-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-68-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-66-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-65-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-64-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-58-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-57-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-22-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-27-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/2160-26-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/2160-25-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/2160-24-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2160-23-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/2160-29-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/2160-28-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/2160-30-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-56-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-32-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-33-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-55-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-54-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-36-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-53-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/2160-31-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/3288-46-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-41-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-52-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-51-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-50-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-49-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-48-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-47-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-42-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/3288-40-0x0000021075880000-0x0000021075881000-memory.dmpFilesize
4KB
-
memory/4100-1-0x0000000077D46000-0x0000000077D48000-memory.dmpFilesize
8KB
-
memory/4100-6-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/4100-2-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/4100-21-0x00000000008A0000-0x0000000000D73000-memory.dmpFilesize
4.8MB
-
memory/4100-5-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/4100-8-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/4100-9-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/4100-4-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/4100-0-0x00000000008A0000-0x0000000000D73000-memory.dmpFilesize
4.8MB
-
memory/4100-3-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/4696-60-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB
-
memory/4696-62-0x00000000006F0000-0x0000000000BC3000-memory.dmpFilesize
4.8MB