amadey | 4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d

General

Target

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
Size

1.8MB
MD5

c04b70614b99ae6757d77ed17451f74b
SHA1

0798739fb4e9ccd3dbde47083ad8d46e91ac846a
SHA256

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d
SHA512

4a4ba32056c4aa42417d27828a8ecc6617a800d90cd274d449915893877455c74aa806fc9bea1e74e5d691f2e7287251310840ae8992ac6431e1b00d173e1e68
SSDEEP

24576:9j1DgJeoD7PguHzzHIZJaUT6TwszCnkwj02C5CcC8qb3qjj6Zr5Xzl6Aa6QQcW9:9jCJdPXzzHI/js0j2GFe3o5DQDQcW

Score

10^/10

amadey 49e482 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exeaxplont.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplont.exeaxplont.exeaxplont.exe4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe

Executes dropped EXE 4 IoCs

Processes:

axplont.exe4.exeaxplont.exeaxplont.exe

pid process

1032 axplont.exe
3156 4.exe
4248 axplont.exe
5048 axplont.exe

pid	process
1032	axplont.exe
3156	4.exe
4248	axplont.exe
5048	axplont.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplont.exeaxplont.exe4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplont.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exeaxplont.exeaxplont.exeaxplont.exe

pid process

756 4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
1032 axplont.exe
4248 axplont.exe
5048 axplont.exe
Drops file in Windows directory 1 IoCs

Processes:

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe

description ioc process

File created C:\Windows\Tasks\axplont.job 4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4508 3156 WerFault.exe 4.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe

pid	pid_target	process	target process
4508	3156	WerFault.exe	4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exeaxplont.exeaxplont.exeaxplont.exe

pid	process
756	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
756	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
1032	axplont.exe
1032	axplont.exe
4248	axplont.exe
4248	axplont.exe
5048	axplont.exe
5048	axplont.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe

pid process

756 4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exeaxplont.exe

description	pid	process	target process
PID 756 wrote to memory of 1032	756	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe	axplont.exe
PID 756 wrote to memory of 1032	756	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe	axplont.exe
PID 756 wrote to memory of 1032	756	4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe	axplont.exe
PID 1032 wrote to memory of 3156	1032	axplont.exe	4.exe
PID 1032 wrote to memory of 3156	1032	axplont.exe	4.exe
PID 1032 wrote to memory of 3156	1032	axplont.exe	4.exe

C:\Users\Admin\AppData\Local\Temp\4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe
"C:\Users\Admin\AppData\Local\Temp\4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\1000022001\4.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\4.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 384
4⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3156 -ip 3156
1⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000022001\4.exe
Filesize
234KB

MD5
02644161e2f9fc67a85443420a706f53

SHA1
c278f508913fadb1d122d49e91dffc55c6e9dc57

SHA256
dbf3a45df3d3849bc028c3bccb852655cb0d01edadc9ff0cbc6c88e50dca5d23

SHA512
7fba5a1c4ca72c11bd3eba486528b335052e0b07cdc446a12e6a2917bad6ca5d01783819dfc61023ab59119469970ac93dc043f7313e3507dd84452f8b3ef626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
Filesize
1.8MB

MD5
c04b70614b99ae6757d77ed17451f74b

SHA1
0798739fb4e9ccd3dbde47083ad8d46e91ac846a

SHA256
4488aa267ff56b5bac4bd005ffb3fe63b7cc6aed23c66a9c55b56d147c66e03d

SHA512
4a4ba32056c4aa42417d27828a8ecc6617a800d90cd274d449915893877455c74aa806fc9bea1e74e5d691f2e7287251310840ae8992ac6431e1b00d173e1e68

Download Submit
memory/756-1-0x0000000077176000-0x0000000077178000-memory.dmp

Filesize
8KB

Download
memory/756-2-0x0000000000F11000-0x0000000000F3F000-memory.dmp

Filesize
184KB

Download
memory/756-3-0x0000000000F10000-0x00000000013BE000-memory.dmp

Filesize
4.7MB

Download
memory/756-5-0x0000000000F10000-0x00000000013BE000-memory.dmp

Filesize
4.7MB

Download
memory/756-0-0x0000000000F10000-0x00000000013BE000-memory.dmp

Filesize
4.7MB

Download
memory/756-17-0x0000000000F10000-0x00000000013BE000-memory.dmp

Filesize
4.7MB

Download
memory/1032-47-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-53-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-21-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-22-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-19-0x00000000007B1000-0x00000000007DF000-memory.dmp

Filesize
184KB

Download
memory/1032-66-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-45-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-46-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-18-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-48-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-49-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-65-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-64-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-20-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-54-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-55-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-56-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-57-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-58-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-63-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/1032-62-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/3156-44-0x0000000000400000-0x0000000002C9A000-memory.dmp

Filesize
40.6MB

Download
memory/4248-52-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/4248-51-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/5048-61-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download
memory/5048-60-0x00000000007B0000-0x0000000000C5E000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads