amadey | 2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488

General

Target

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
Size

1.8MB
MD5

589dd545867e563db22bbc5f7c912c65
SHA1

dcc152fe817a434612622e4e435b048a1cbc08de
SHA256

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488
SHA512

e61ad0a316ae4f508243d7a70e87f597f812b5cf0985e5440a460de0be7be3f728bf8f148acec293394574205d44cc9de8f85ee65fe74ac13eb94e58ed066e7f
SSDEEP

49152:2xswCsA+JyypovBFWwT8fG6oSz+OBXFkE7:AdmDWwI1+K

Score

10^/10

amadey systembc 49e482 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplont.exeaxplont.exeaxplont.exe2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exelgodjadrg.exework.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	axplont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	lgodjadrg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	work.exe

Executes dropped EXE 9 IoCs

Processes:

axplont.exelgodjadrg.exework.exelgors.exeaxplont.exejkdcvrc.exeaxplont.exejkdcvrc.exeaxplont.exe

pid process

3812 axplont.exe
5096 lgodjadrg.exe
1112 work.exe
1844 lgors.exe
2696 axplont.exe
412 jkdcvrc.exe
3104 axplont.exe
3956 jkdcvrc.exe
4384 axplont.exe

pid	process
3812	axplont.exe
5096	lgodjadrg.exe
1112	work.exe
1844	lgors.exe
2696	axplont.exe
412	jkdcvrc.exe
3104	axplont.exe
3956	jkdcvrc.exe
4384	axplont.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

pid process

4284 2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
3812 axplont.exe
2696 axplont.exe
3104 axplont.exe
4384 axplont.exe

Drops file in Windows directory 3 IoCs

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exelgors.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
File created	C:\Windows\Tasks\jkdcvrc.job	lgors.exe
File opened for modification	C:\Windows\Tasks\jkdcvrc.job	lgors.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exeaxplont.exelgors.exeaxplont.exeaxplont.exe

pid	process
4284	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
4284	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
3812	axplont.exe
3812	axplont.exe
2696	axplont.exe
2696	axplont.exe
1844	lgors.exe
1844	lgors.exe
3104	axplont.exe
3104	axplont.exe
4384	axplont.exe
4384	axplont.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe

pid process

4284 2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exeaxplont.exelgodjadrg.execmd.exework.exe

description	pid	process	target process
PID 4284 wrote to memory of 3812	4284	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe	axplont.exe
PID 4284 wrote to memory of 3812	4284	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe	axplont.exe
PID 4284 wrote to memory of 3812	4284	2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe	axplont.exe
PID 3812 wrote to memory of 5096	3812	axplont.exe	lgodjadrg.exe
PID 3812 wrote to memory of 5096	3812	axplont.exe	lgodjadrg.exe
PID 3812 wrote to memory of 5096	3812	axplont.exe	lgodjadrg.exe
PID 5096 wrote to memory of 1636	5096	lgodjadrg.exe	cmd.exe
PID 5096 wrote to memory of 1636	5096	lgodjadrg.exe	cmd.exe
PID 5096 wrote to memory of 1636	5096	lgodjadrg.exe	cmd.exe
PID 1636 wrote to memory of 1112	1636	cmd.exe	work.exe
PID 1636 wrote to memory of 1112	1636	cmd.exe	work.exe
PID 1636 wrote to memory of 1112	1636	cmd.exe	work.exe
PID 1112 wrote to memory of 1844	1112	work.exe	lgors.exe
PID 1112 wrote to memory of 1844	1112	work.exe	lgors.exe
PID 1112 wrote to memory of 1844	1112	work.exe	lgors.exe

C:\Users\Admin\AppData\Local\Temp\2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe
"C:\Users\Admin\AppData\Local\Temp\2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
  "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2696

C:\ProgramData\qbaggmx\jkdcvrc.exe
C:\ProgramData\qbaggmx\jkdcvrc.exe start2
1⤵
- Executes dropped EXE
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\ProgramData\qbaggmx\jkdcvrc.exe
C:\ProgramData\qbaggmx\jkdcvrc.exe start2
1⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe

Filesize
613KB

MD5
a1ad149a4d2a04338fd9a0d902410daf

SHA1
d43db08458ea4a81cd32926a402d8a5d12728a2f

SHA256
6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a

SHA512
cef534d0233f47048d6b80c49c4b44570fc436b90904ea84f03c24106ecb785802c424e1241ebd70b9a85f09b77f7c0322927c57a9d65959da4a425149e04128

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Filesize
1.8MB

MD5
589dd545867e563db22bbc5f7c912c65

SHA1
dcc152fe817a434612622e4e435b048a1cbc08de

SHA256
2ce0dc290da1b20ede6beb2da4ce7896dce5e60a9afdfea68652544f58496488

SHA512
e61ad0a316ae4f508243d7a70e87f597f812b5cf0985e5440a460de0be7be3f728bf8f148acec293394574205d44cc9de8f85ee65fe74ac13eb94e58ed066e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
294KB

MD5
372b142bdf88cc3175d31b48a650955d

SHA1
515f9a1e5c954cd849bacd19291534c50201ac49

SHA256
e3873f55cd848b37d6897b3851a21aa6c17b3d74d94ea2adcd076cf3eb3f4121

SHA512
cff5c69e361d4975f6b10000d5d53ccd0853503f585842ac3422131cf8313195ab8720b65e291c27fc12875b584129069b8548823774320ded37403cc64d8d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit
memory/2696-61-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/2696-60-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3104-78-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3104-77-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-20-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-71-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-22-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-23-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-84-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-18-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-83-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-82-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-58-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-81-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-80-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-62-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-68-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-69-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-70-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-21-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-72-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-73-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-74-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-75-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/3812-79-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/4284-1-0x00000000775E4000-0x00000000775E6000-memory.dmp

Filesize
8KB

Download
memory/4284-2-0x00000000006C1000-0x00000000006EF000-memory.dmp

Filesize
184KB

Download
memory/4284-3-0x00000000006C0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4284-4-0x00000000006C0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4284-11-0x00000000006C0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4284-19-0x00000000006C0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4284-0-0x00000000006C0000-0x0000000000B6C000-memory.dmp

Filesize
4.7MB

Download
memory/4384-87-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download
memory/4384-88-0x0000000000420000-0x00000000008CC000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads