amadey | 4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b

General

Target

4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
Size

1.8MB
MD5

2ae26184639c7c721dec39b877f2e2e6
SHA1

95ec2f344dfcd29c653a863aba0cd66cc7286370
SHA256

4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b
SHA512

23e78d56d7058f66d9e961670f528bdfb444bb0e33637363d11b7a2815a6c2f2749b751f8c7f1bf044a847ee3cf20fa625b9aaee15d1296fedf3fc28534d8804
SSDEEP

49152:sH62iSnANqllLAJA0XtlXuCxhAUoOBsplgCwgBpPtytgKQD:saCWq8AYmUo7rg/K7ig

Score

10^/10

amadey stealc 0657d1 default kora discovery evasion stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

default

C2

http://185.215.113.24

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	explorti.exe

Executes dropped EXE 5 IoCs

pid	Process
2860	explorti.exe
760	explorti.exe
1756	93d87fb360.exe
4420	c256027588.exe
3332	explorti.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Wine	explorti.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
2860	explorti.exe
760	explorti.exe
1756	93d87fb360.exe
3332	explorti.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorti.job	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3120	1756	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d87fb360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c256027588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
2860	explorti.exe
2860	explorti.exe
760	explorti.exe
760	explorti.exe
3332	explorti.exe
3332	explorti.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1756	93d87fb360.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2860	1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe	86
PID 1860 wrote to memory of 2860	1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe	86
PID 1860 wrote to memory of 2860	1860	4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe	86
PID 2860 wrote to memory of 1756	2860	explorti.exe	91
PID 2860 wrote to memory of 1756	2860	explorti.exe	91
PID 2860 wrote to memory of 1756	2860	explorti.exe	91
PID 2860 wrote to memory of 4420	2860	explorti.exe	92
PID 2860 wrote to memory of 4420	2860	explorti.exe	92
PID 2860 wrote to memory of 4420	2860	explorti.exe	92

C:\Users\Admin\AppData\Local\Temp\4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe
"C:\Users\Admin\AppData\Local\Temp\4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
  "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\1000037002\93d87fb360.exe
    "C:\Users\Admin\1000037002\93d87fb360.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1380
      4⤵
      Program crash
      PID:3120
- - C:\Users\Admin\AppData\Local\Temp\1000038001\c256027588.exe
    "C:\Users\Admin\AppData\Local\Temp\1000038001\c256027588.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4420

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1756 -ip 1756
1⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000037002\93d87fb360.exe

Filesize
2.5MB

MD5
14be4db1d97b50efc974bc352bf326e2

SHA1
ced26748d9c6f58d06c5113d14f2635b8ff95c3c

SHA256
1f4373f4a1d1655f2e52ff75ad9c9805e6c0332126f8d561b79dec41088e1065

SHA512
478ddd9f148fb1be611c1620a2ffd781fc037cdd6f980ff5b89bfe8c2d1967a3f3b37c4fe184cc82863f88d682e55046595d027c8ef3d996a57548aaa8d08284

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Filesize
1.8MB

MD5
2ae26184639c7c721dec39b877f2e2e6

SHA1
95ec2f344dfcd29c653a863aba0cd66cc7286370

SHA256
4cc9896a833f673c052b48210653069bf20dc60eb233c333189b394b63b5459b

SHA512
23e78d56d7058f66d9e961670f528bdfb444bb0e33637363d11b7a2815a6c2f2749b751f8c7f1bf044a847ee3cf20fa625b9aaee15d1296fedf3fc28534d8804

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\92211eb289.exe

Filesize
704KB

MD5
14cecd839354274b17b5b9b88e433c3d

SHA1
f3ad4d48e9097af3a86460e9d547cd1aab0d0bf1

SHA256
58089bf708341c03620f832570d1a0907dec521a3137273093ab699ed187631c

SHA512
ccf9ba0d3e4ec0fcf52f2bcb76be4244e178b7eaab0aeac98634caa4c28def496d57d7b67aeb32fa80666f6f07f4263775dc448d3a3b8da864dd954053b8212d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\c256027588.exe

Filesize
187KB

MD5
278ee1426274818874556aa18fd02e3a

SHA1
185a2761330024dec52134df2c8388c461451acb

SHA256
37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

SHA512
07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

Download Submit
memory/760-28-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/760-32-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/760-30-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/760-29-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/1756-83-0x0000000000400000-0x0000000000FED000-memory.dmp

Filesize
11.9MB

Download
memory/1756-65-0x0000000000400000-0x0000000000FED000-memory.dmp

Filesize
11.9MB

Download
memory/1860-4-0x0000000000200000-0x00000000006B5000-memory.dmp

Filesize
4.7MB

Download
memory/1860-3-0x0000000000200000-0x00000000006B5000-memory.dmp

Filesize
4.7MB

Download
memory/1860-16-0x0000000000200000-0x00000000006B5000-memory.dmp

Filesize
4.7MB

Download
memory/1860-0-0x0000000000200000-0x00000000006B5000-memory.dmp

Filesize
4.7MB

Download
memory/1860-2-0x0000000000201000-0x000000000022F000-memory.dmp

Filesize
184KB

Download
memory/1860-1-0x0000000077C24000-0x0000000077C26000-memory.dmp

Filesize
8KB

Download
memory/2860-20-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-18-0x0000000000F31000-0x0000000000F5F000-memory.dmp

Filesize
184KB

Download
memory/2860-25-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-24-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-23-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-33-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-34-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-22-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-49-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-21-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-19-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-26-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-94-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-17-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-84-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-93-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-86-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-87-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-92-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/2860-91-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/3332-90-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/3332-89-0x0000000000F30000-0x00000000013E5000-memory.dmp

Filesize
4.7MB

Download
memory/4420-85-0x0000000000130000-0x0000000000373000-memory.dmp

Filesize
2.3MB

Download
memory/4420-82-0x0000000000130000-0x0000000000373000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads