amadey | f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9

General

Target

f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
Size

1.7MB
MD5

19923fb77b18c695262eadb18567006a
SHA1

611694ed4bde95d43f82d0d10b8bb98f69d3f4b0
SHA256

f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9
SHA512

32b9287af25a88fc7f5cdd47e7baf1e9f8a3a96f69de1c7b785856a8025283f836f8205698fb92ab386d4ed9e8dc1bf4340eb325d8bbade8d86e92b7259bf361
SSDEEP

49152:2DJc4W46mCQXOfpy2T0r6DGXuhj47IRtEsfXywAHx3:2Vc4W4JipBT0rx+TLEsfnAHx3

Score

10^/10

amadey 18befc evasion themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorku.exeexplorku.exeexplorku.exef90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exeexplorku.exeexplorku.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe

Executes dropped EXE 3 IoCs

Processes:

explorku.exeexplorku.exeexplorku.exe

pid process

3176 explorku.exe
1448 explorku.exe
3240 explorku.exe

pid	process
3176	explorku.exe
1448	explorku.exe
3240	explorku.exe

Themida packer 41 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2528-0-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-1-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-2-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-6-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-4-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-8-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-7-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-5-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/2528-3-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/3176-21-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/2528-19-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/3176-23-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-24-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-26-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-29-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-28-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-27-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-25-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-22-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3176-30-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/2528-32-0x0000000000830000-0x0000000000D76000-memory.dmp	themida
behavioral2/memory/1448-35-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-36-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-43-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-42-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-41-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-39-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-37-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-40-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-38-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/1448-44-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-52-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-54-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-55-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-53-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-57-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-59-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-58-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-56-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida
behavioral2/memory/3240-60-0x0000000000FD0000-0x0000000001516000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exeexplorku.exeexplorku.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe

Drops file in Windows directory 1 IoCs

Processes:

f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe

description ioc process

File created C:\Windows\Tasks\explorku.job f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe

description	pid	process	target process
PID 2528 wrote to memory of 3176	2528	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe	explorku.exe
PID 2528 wrote to memory of 3176	2528	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe	explorku.exe
PID 2528 wrote to memory of 3176	2528	f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe	explorku.exe

C:\Users\Admin\AppData\Local\Temp\f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe
"C:\Users\Admin\AppData\Local\Temp\f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3176

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1448

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
1.7MB

MD5
19923fb77b18c695262eadb18567006a

SHA1
611694ed4bde95d43f82d0d10b8bb98f69d3f4b0

SHA256
f90763fdf6955482060795bb19dee26952e71ebacbfaebbdd6c180368d95b1f9

SHA512
32b9287af25a88fc7f5cdd47e7baf1e9f8a3a96f69de1c7b785856a8025283f836f8205698fb92ab386d4ed9e8dc1bf4340eb325d8bbade8d86e92b7259bf361

Download Submit
memory/1448-44-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-36-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-43-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-42-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-41-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-35-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-39-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-37-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-40-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/1448-38-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/2528-8-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-19-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-0-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-3-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-5-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-7-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-4-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-6-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-2-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-1-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/2528-32-0x0000000000830000-0x0000000000D76000-memory.dmp

Filesize
5.3MB

Download
memory/3176-21-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-30-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-22-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-25-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-27-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-28-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-29-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-26-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-24-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3176-23-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-52-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-54-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-55-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-53-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-57-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-59-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-58-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-56-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download
memory/3240-60-0x0000000000FD0000-0x0000000001516000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads