amadey | 29a1b2044662e0dd7f3059854ed7d49d2511eca878ecf4aad8664292e62dd2d5

Analysis

max time kernel
30s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Small Malwares/8254624243/axplong.exe
Size

1.8MB
MD5

a7221b372210af6bea61be50186a3860
SHA1

3aa73526e25e9ade86cc74d820bd656e34c8c850
SHA256

c8f039706b71366f54bb879a8b9a01745dab0511c11d91bef773c2dddc216881
SHA512

939671a3336e29460244a3593a3a0e6925625207ec46fe31ac5864bbf28ceba0a9741e616d25a8625742f442f14dd351ecbe8610d62281e47d3c1d27a4e111f1
SSDEEP

49152:QsbBUcmzPnap2/GlHv0gm25LIXaRmySHyMW:QsVft26HvdTUXaRm3SM

Score

10^/10

amadey e76b71 evasion trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

axplong.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation axplong.exe
Executes dropped EXE 2 IoCs

Processes:

axplong.exeaxplong.exe

pid process

3516 axplong.exe
1572 axplong.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	axplong.exe

pid	process
3516	axplong.exe
1572	axplong.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

axplong.exeaxplong.exeaxplong.exe

pid process

3044 axplong.exe
3516 axplong.exe
1572 axplong.exe
Drops file in Windows directory 1 IoCs

Processes:

axplong.exe

description ioc process

File created C:\Windows\Tasks\axplong.job axplong.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

axplong.exeaxplong.exeaxplong.exe

pid process

3044 axplong.exe
3044 axplong.exe
3516 axplong.exe
3516 axplong.exe
1572 axplong.exe
1572 axplong.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

axplong.exe

pid process

3044 axplong.exe

pid	process
3044	axplong.exe
3516	axplong.exe
1572	axplong.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	axplong.exe

pid	process
3044	axplong.exe
3044	axplong.exe
3516	axplong.exe
3516	axplong.exe
1572	axplong.exe
1572	axplong.exe

pid	process
3044	axplong.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

axplong.exe

description	pid	process	target process
PID 3044 wrote to memory of 3516	3044	axplong.exe	axplong.exe
PID 3044 wrote to memory of 3516	3044	axplong.exe	axplong.exe
PID 3044 wrote to memory of 3516	3044	axplong.exe	axplong.exe

C:\Users\Admin\AppData\Local\Temp\Small Malwares\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\Small Malwares\8254624243\axplong.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3516

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe

Filesize
1.8MB

MD5
a7221b372210af6bea61be50186a3860

SHA1
3aa73526e25e9ade86cc74d820bd656e34c8c850

SHA256
c8f039706b71366f54bb879a8b9a01745dab0511c11d91bef773c2dddc216881

SHA512
939671a3336e29460244a3593a3a0e6925625207ec46fe31ac5864bbf28ceba0a9741e616d25a8625742f442f14dd351ecbe8610d62281e47d3c1d27a4e111f1

Download Submit
memory/1572-25-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/1572-30-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/1572-27-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3044-1-0x0000000076F64000-0x0000000076F66000-memory.dmp

Filesize
8KB

Download
memory/3044-2-0x0000000000431000-0x000000000045F000-memory.dmp

Filesize
184KB

Download
memory/3044-3-0x0000000000430000-0x00000000008F4000-memory.dmp

Filesize
4.8MB

Download
memory/3044-5-0x0000000000430000-0x00000000008F4000-memory.dmp

Filesize
4.8MB

Download
memory/3044-18-0x0000000000430000-0x00000000008F4000-memory.dmp

Filesize
4.8MB

Download
memory/3044-0-0x0000000000430000-0x00000000008F4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-19-0x0000000000C11000-0x0000000000C3F000-memory.dmp

Filesize
184KB

Download
memory/3516-22-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-23-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-21-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-26-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-20-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-28-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-16-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download
memory/3516-31-0x0000000000C10000-0x00000000010D4000-memory.dmp

Filesize
4.8MB

Download