Malware Analysis Report

2025-03-15 03:56

Sample ID 240520-rey8msdh8t
Target chrosha.exe
SHA256 d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
Tags
amadey 090bb7 evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876

Threat Level: Known bad

The file chrosha.exe was found to be: Known bad.

Malicious Activity Summary

amadey 090bb7 evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 14:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 14:07

Reported

2024-05-20 14:09

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chrosha.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\chrosha.exe

"C:\Users\Admin\AppData\Local\Temp\chrosha.exe"

Network

N/A

Files

memory/2076-0-0x0000000000B50000-0x0000000001003000-memory.dmp

memory/2076-1-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

memory/2076-2-0x0000000000B51000-0x0000000000B7F000-memory.dmp

memory/2076-3-0x0000000000B50000-0x0000000001003000-memory.dmp

memory/2076-5-0x0000000000B50000-0x0000000001003000-memory.dmp

memory/2076-10-0x0000000000B50000-0x0000000001003000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 14:07

Reported

2024-05-20 14:09

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chrosha.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\chrosha.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\chrosha.exe

"C:\Users\Admin\AppData\Local\Temp\chrosha.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 193.233.132.167:80 tcp
RU 193.233.132.167:80 tcp
US 8.8.8.8:53 144.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
RU 193.233.132.167:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.233.132.167:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 193.233.132.167:80 tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp
RU 193.233.132.167:80 tcp

Files

memory/2336-0-0x0000000000DD0000-0x0000000001283000-memory.dmp

memory/2336-1-0x0000000077444000-0x0000000077446000-memory.dmp

memory/2336-3-0x0000000000DD0000-0x0000000001283000-memory.dmp

memory/2336-2-0x0000000000DD1000-0x0000000000DFF000-memory.dmp

memory/2336-5-0x0000000000DD0000-0x0000000001283000-memory.dmp

memory/2336-10-0x0000000000DD0000-0x0000000001283000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 73d73c48859fc7aa4fd78d9a57f859d6
SHA1 c1f71ea0692d97c653ff5a5ecbc03fd02173fe05
SHA256 d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
SHA512 f0634be539582016c03e83f3ca58d613fc16abcc0a9c320321f455234a8f2dc1c199fc52187abac5e4cbbe7b7907afdaa89813f50cbecd611f7e870ee7f8e979

memory/64-13-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-14-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-15-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-16-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-17-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-18-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-19-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-20-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-21-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-22-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-23-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-24-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-25-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-26-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-27-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-28-0x0000000000940000-0x0000000000DF3000-memory.dmp

memory/64-29-0x0000000000940000-0x0000000000DF3000-memory.dmp