amadey | 37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3

Analysis

max time kernel
1s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
13/05/2024, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe
Size

1.5MB
MD5

a155de8690462c0959f2ea4909d882a5
SHA1

fdb6464008104acb947d0796f4f39194fd7caa5b
SHA256

37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3
SHA512

3506261ec12974f0fa0b4d4454f351329c9b740d438ab37c5f5eac8ea7738b69afb6c8a994ee638cd714e3aa9f8900831e38c68ee0bd7ac62ba716ebd2e4499e
SSDEEP

24576:xKE/S7xqKnUjVto5Naoqc0sCxYBF87pDjpi9WPpQ45OpY/uMWT7/gV0we:oE/S7xFUJyhqVsZGds9WJ5OK//W/YVZe

Score

10^/10

amadey risepro evasion stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe

Themida packer 42 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4208-1-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-2-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-0-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-5-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-4-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-7-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-6-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/4208-3-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/files/0x000100000002a9e6-13.dat	themida
behavioral2/memory/4208-20-0x00000000007B0000-0x0000000000C9A000-memory.dmp	themida
behavioral2/memory/2924-21-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-24-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-28-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-26-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-25-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-23-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-22-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-27-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2924-62-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/files/0x000100000002a9eb-67.dat	themida
behavioral2/memory/2172-81-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-84-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-82-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-87-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-89-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-86-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-88-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-85-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2172-83-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/2924-90-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/2172-93-0x00000000008E0000-0x0000000000F56000-memory.dmp	themida
behavioral2/memory/4880-109-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-114-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-112-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-113-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-111-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-110-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-108-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-107-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4880-116-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4964-146-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida
behavioral2/memory/4964-148-0x0000000000DC0000-0x00000000012AA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorku.job	37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe
"C:\Users\Admin\AppData\Local\Temp\37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:244
- - C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
    3⤵
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      PID:2900
- - C:\Users\Admin\1000006002\0eb45443fb.exe
    "C:\Users\Admin\1000006002\0eb45443fb.exe"
    3⤵
    PID:2172

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000006002\0eb45443fb.exe

Filesize
2.1MB

MD5
906505cc5818955f1793017c1d83206d

SHA1
21c7c8ff1b3cd6205d3018da9d449ff30b441db9

SHA256
9c3cdb46ca15b7c867ba2fdaab5f4c48e682ef004de8beac75d7da8186da3f1e

SHA512
d284c6819762a67058cbc1dc8803a787faec7adb68dd95f082d338882b61f616a40e8db5030d82820e3583a47d14b2ea19719b100c738a7ddd702b46a43f894d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe

Filesize
1.8MB

MD5
387a60a7af32e4df90f96085e62eb63d

SHA1
38bcae57be5abec2a519810313b49d9d5fedfe24

SHA256
1b42d4086b500c28579921efe821bd8006d565f0dd40fdba961bda691e2e2973

SHA512
1b738060e7ff44657c75dffc7fe4767c77fef4744dfa94415b230796b4b27c6ac5015266bac57b2490c67ea84d961922ea55c192424575f48dbd6b6a40a55c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.2MB

MD5
b4f5f331da33f5914179016ededc9fba

SHA1
a0f7672543d56271c4075987f26c985e86ef5d77

SHA256
6fbc542256f57f4cacede6132c3420c4002dd44d1aa63b2fe3363a6619e894b6

SHA512
cef86bc15e8be86540746878eeb29048b48b41946c2b96287208a990652e6f9924fe785881a6d28705c8dfdf7980cba8b45d7375ebee8c1a33be3f23cd65bb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.5MB

MD5
a155de8690462c0959f2ea4909d882a5

SHA1
fdb6464008104acb947d0796f4f39194fd7caa5b

SHA256
37fb55f397be5ae4ca8bece8981dc60393934e76337cefa61f2bba2bbaa670f3

SHA512
3506261ec12974f0fa0b4d4454f351329c9b740d438ab37c5f5eac8ea7738b69afb6c8a994ee638cd714e3aa9f8900831e38c68ee0bd7ac62ba716ebd2e4499e

Download Submit
memory/1684-47-0x0000000077546000-0x0000000077548000-memory.dmp

Filesize
8KB

Download
memory/1684-60-0x0000000000CC0000-0x000000000117B000-memory.dmp

Filesize
4.7MB

Download
memory/1684-46-0x0000000000CC0000-0x000000000117B000-memory.dmp

Filesize
4.7MB

Download
memory/1772-105-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/1772-117-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2172-82-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-81-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-84-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-85-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-87-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-88-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-93-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-89-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-83-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2172-86-0x00000000008E0000-0x0000000000F56000-memory.dmp

Filesize
6.5MB

Download
memory/2900-95-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-91-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-61-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-94-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-98-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-101-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-118-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-121-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-124-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-127-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-130-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2900-133-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/2924-23-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-62-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-27-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-90-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-22-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-25-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-26-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-28-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-24-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/2924-21-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/3344-150-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/3344-137-0x0000000000470000-0x000000000092B000-memory.dmp

Filesize
4.7MB

Download
memory/4208-6-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-5-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-1-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-20-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-2-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-0-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-4-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-7-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4208-3-0x00000000007B0000-0x0000000000C9A000-memory.dmp

Filesize
4.9MB

Download
memory/4880-116-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-109-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-107-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-108-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-114-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-110-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-111-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-113-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4880-112-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4964-146-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download
memory/4964-148-0x0000000000DC0000-0x00000000012AA000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads