Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe

  • Size

    1.7MB

  • MD5

    19923fb77b18c695262eadb18567006a

  • SHA1

    611694ed4bde95d43f82d0d10b8bb98f69d3f4b0

  • SHA256

    f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9

  • SHA512

    32b9287af25a88fc7f5cdd47e7baf1e9f8a3a96f69de1c7b785856a8025283f836f8205698fb92ab386d4ed9e8dc1bf4340eb325d8bbade8d86e92b7259bf361

  • SSDEEP

    49152:2DJc4W46mCQXOfpy2T0r6DGXuhj47IRtEsfXywAHx3:2Vc4W4JipBT0rx+TLEsfnAHx3

Score
10/10
amadey18befcevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 40 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
    "C:\Users\Admin\AppData\Local\Temp\f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4664
  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:1504
  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:4520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    Filesize

    1.7MB

    MD5

    19923fb77b18c695262eadb18567006a

    SHA1

    611694ed4bde95d43f82d0d10b8bb98f69d3f4b0

    SHA256

    f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9

    SHA512

    32b9287af25a88fc7f5cdd47e7baf1e9f8a3a96f69de1c7b785856a8025283f836f8205698fb92ab386d4ed9e8dc1bf4340eb325d8bbade8d86e92b7259bf361

    Download Submit
  • memory/1504-35-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-44-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-43-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-39-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-41-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-42-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-40-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-36-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-38-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/1504-37-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-21-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-0-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-1-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-7-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-6-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-5-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-4-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-3-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-2-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3636-8-0x00000000009D0000-0x0000000000F16000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-59-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-53-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-61-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-52-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-54-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-55-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-56-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-57-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4520-58-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-27-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-26-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-30-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-25-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-28-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-29-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-22-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-24-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-23-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4664-31-0x0000000000880000-0x0000000000DC6000-memory.dmp
    Filesize

    5.3MB

    Download