Overview

overview

10

Static

static

3

65b13c88ba...c3.exe

windows11-21h2-x64

10

Resubmissions

08-05-2024 17:38

240508-v78vbshh68 10

07-05-2024 20:46

240507-zkn9mafa5t 10

07-05-2024 15:51

240507-tazpqagb25 10

01-05-2024 23:14

240501-28cxlsca92 10

Analysis

  • max time kernel
    175s
  • max time network
    177s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-05-2024 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe

  • Size

    1.9MB

  • MD5

    cf02058ce59cb0d1f9e9f3146316717f

  • SHA1

    9c276c5d673ad974c0c49e55be5e1952100bbc56

  • SHA256

    65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3

  • SHA512

    5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7

  • SSDEEP

    49152:V3/bnL0qZ+XLHP19pmfybjyCIaIzRGuyW2/iC2Xxx9lB:VjnLnYXx90abbI3Dy/iC2Xr

Score
10/10
amadeyevasiontrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes
  • install_dir

    5454e6f062

  • install_file

    explorta.exe

  • strings_key

    c7a869c5ba1d72480093ec207994e2bf

  • url_paths

    /sev56rkm/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
    "C:\Users\Admin\AppData\Local\Temp\65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2160
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UnprotectWatch.cmd" "
    1⤵
      PID:3880
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UnprotectWatch.cmd" "
      1⤵
        PID:4840
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:280
        • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
          C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
          1⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2052
        • C:\Windows\System32\Taskmgr.exe
          "C:\Windows\System32\Taskmgr.exe"
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3288
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe"
          1⤵
            PID:1896
          • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
            C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
            1⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:4696
          • C:\Windows\System32\rundll32.exe
            C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
            1⤵
              PID:2384
            • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
              C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
              1⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:1908

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
              Filesize

              1.9MB

              MD5

              cf02058ce59cb0d1f9e9f3146316717f

              SHA1

              9c276c5d673ad974c0c49e55be5e1952100bbc56

              SHA256

              65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3

              SHA512

              5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7

              Download Submit

            • memory/1908-70-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2052-39-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2052-37-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-34-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-68-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-66-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-65-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-64-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-58-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-57-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-22-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-27-0x0000000005180000-0x0000000005181000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-26-0x0000000005170000-0x0000000005171000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-25-0x00000000051D0000-0x00000000051D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-24-0x0000000005190000-0x0000000005191000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-23-0x00000000051A0000-0x00000000051A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-29-0x00000000051E0000-0x00000000051E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-28-0x00000000051F0000-0x00000000051F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2160-30-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-56-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-32-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-33-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-55-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-54-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-36-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-53-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/2160-31-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/3288-46-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-41-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-52-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-51-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-50-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-49-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-48-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-47-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-42-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3288-40-0x0000021075880000-0x0000021075881000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-1-0x0000000077D46000-0x0000000077D48000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4100-6-0x0000000005120000-0x0000000005121000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-2-0x0000000005140000-0x0000000005141000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-21-0x00000000008A0000-0x0000000000D73000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4100-5-0x0000000005110000-0x0000000005111000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-8-0x00000000051A0000-0x00000000051A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-9-0x0000000005190000-0x0000000005191000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-4-0x0000000005170000-0x0000000005171000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4100-0-0x00000000008A0000-0x0000000000D73000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4100-3-0x0000000005130000-0x0000000005131000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4696-60-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download

            • memory/4696-62-0x00000000006F0000-0x0000000000BC3000-memory.dmp

              Filesize

              4.8MB

              Download