amadey | 0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657

General

Target

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
Size

1.8MB
MD5

d621f5952ed932db832ed39968a5ac52
SHA1

ed47e99b536089eaabbe6479c9aa8b9975ef820e
SHA256

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657
SHA512

c084d6587b37ec995bd179c1580b3d68899701dc22a955e7ae7775075a27412771e2ac58b85a980c0bd5c691154ef98cecb3678805d03e281d582c1ffb1be1fb
SSDEEP

49152:XHmWSZsXASvCWgXNZZKhF4k6dUHGIEMdb574wEt:XHzSMCWMZoh/6Wm457c

Score

10^/10

amadey 49e482 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplont.exe0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

Executes dropped EXE 3 IoCs

Processes:

axplont.exebuildjudit.exestub.exe

pid process

2796 axplont.exe
824 buildjudit.exe
592 stub.exe

pid	process
2796	axplont.exe
824	buildjudit.exe
592	stub.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine	axplont.exe

Loads dropped DLL 4 IoCs

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exeaxplont.exebuildjudit.exestub.exe

pid process

3008 0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
2796 axplont.exe
824 buildjudit.exe
592 stub.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exeaxplont.exe

pid process

3008 0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
2796 axplont.exe
Drops file in Windows directory 1 IoCs

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

description ioc process

File created C:\Windows\Tasks\axplont.job 0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exeaxplont.exe

pid process

3008 0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
2796 axplont.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

pid process

3008 0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

pid	process
3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
2796	axplont.exe
824	buildjudit.exe
592	stub.exe

pid	process
3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
2796	axplont.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

pid	process
3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
2796	axplont.exe

pid	process
3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exeaxplont.exebuildjudit.exe

description	pid	process	target process
PID 3008 wrote to memory of 2796	3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe	axplont.exe
PID 3008 wrote to memory of 2796	3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe	axplont.exe
PID 3008 wrote to memory of 2796	3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe	axplont.exe
PID 3008 wrote to memory of 2796	3008	0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe	axplont.exe
PID 2796 wrote to memory of 824	2796	axplont.exe	buildjudit.exe
PID 2796 wrote to memory of 824	2796	axplont.exe	buildjudit.exe
PID 2796 wrote to memory of 824	2796	axplont.exe	buildjudit.exe
PID 2796 wrote to memory of 824	2796	axplont.exe	buildjudit.exe
PID 824 wrote to memory of 592	824	buildjudit.exe	stub.exe
PID 824 wrote to memory of 592	824	buildjudit.exe	stub.exe
PID 824 wrote to memory of 592	824	buildjudit.exe	stub.exe

C:\Users\Admin\AppData\Local\Temp\0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe
"C:\Users\Admin\AppData\Local\Temp\0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\onefile_824_133610548447902000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\file300un.exe
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe
Filesize
10.7MB

MD5
cc7933b503e061ddde7158e108f19cc3

SHA1
41b74dc86cc1c4dde7010d3f596aacccf00b3133

SHA256
049f48024f31d86c5d8bf56c3da1d7be539c877ad189fb0c5aa9a228601d19eb

SHA512
87892a6f3e41ea43157cf13cc6402044ce41fd3d7eb7e456fced894c88d33786a80fa626c1b58436eba94997490256d2675598ba2e54b52affa64f5491c880a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
Filesize
1.8MB

MD5
d621f5952ed932db832ed39968a5ac52

SHA1
ed47e99b536089eaabbe6479c9aa8b9975ef820e

SHA256
0fa67fdcb7e8e02ed12c87b403f5ec632655878dcb876e8803ffbcc009723657

SHA512
c084d6587b37ec995bd179c1580b3d68899701dc22a955e7ae7775075a27412771e2ac58b85a980c0bd5c691154ef98cecb3678805d03e281d582c1ffb1be1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_824_133610548447902000\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_824_133610548447902000\stub.exe
Filesize
17.9MB

MD5
5ad46542eebe9910891770d619d7c4fa

SHA1
38b3d062740d4a350c3329f4e5d7627e4a980ef3

SHA256
6b0281ff5ec47dfabd801ecde7e55513e556ca6763a557bfb8f2c07b0e739bd5

SHA512
426aa5a0453dc0ad2494d43fdfa7d6c35f19770026650db413234859c34e9a1371272942e96d8741594a47832c4fb4391c217911bc65c6434d621f01995d1e64

Download Submit
memory/592-88-0x000000013F550000-0x0000000140785000-memory.dmp

Filesize
18.2MB

Download
memory/824-123-0x000000013F2F0000-0x000000013FDC5000-memory.dmp

Filesize
10.8MB

Download
memory/2796-34-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-128-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-18-0x0000000000011000-0x000000000003F000-memory.dmp

Filesize
184KB

Download
memory/2796-19-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-21-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-22-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-136-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-30-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-31-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-32-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-33-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-135-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-35-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-134-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-133-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-132-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-131-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-130-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-124-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-125-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-126-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-127-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-17-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/2796-129-0x0000000000010000-0x00000000004C5000-memory.dmp

Filesize
4.7MB

Download
memory/3008-1-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/3008-2-0x0000000001251000-0x000000000127F000-memory.dmp

Filesize
184KB

Download
memory/3008-3-0x0000000001250000-0x0000000001705000-memory.dmp

Filesize
4.7MB

Download
memory/3008-5-0x0000000001250000-0x0000000001705000-memory.dmp

Filesize
4.7MB

Download
memory/3008-14-0x0000000001250000-0x0000000001705000-memory.dmp

Filesize
4.7MB

Download
memory/3008-0-0x0000000001250000-0x0000000001705000-memory.dmp

Filesize
4.7MB

Download
memory/3008-16-0x0000000006E60000-0x0000000007315000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads