Malware Analysis Report

2024-10-23 21:50

Sample ID 240910-n75dkstaqj
Target 7583f2c05935728d457b529dafe57880N
SHA256 aa59cc30f588ae4fa87e9431daa1d522624672bb2b900bbeac36ecb7a8388bbc
Tags
amadey c7817d discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa59cc30f588ae4fa87e9431daa1d522624672bb2b900bbeac36ecb7a8388bbc

Threat Level: Known bad

The file 7583f2c05935728d457b529dafe57880N was found to be: Known bad.

Malicious Activity Summary

amadey c7817d discovery evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-10 12:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-10 12:03

Reported

2024-09-10 12:06

Platform

win7-20240903-en

Max time kernel

1s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe

"C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

Network

Country Destination Domain Proto
RU 31.41.244.10:80 tcp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp

Files

memory/2024-0-0x0000000000F10000-0x00000000013CE000-memory.dmp

memory/2024-2-0x0000000000F11000-0x0000000000F3F000-memory.dmp

memory/2024-3-0x0000000000F10000-0x00000000013CE000-memory.dmp

memory/2024-1-0x00000000772A0000-0x00000000772A2000-memory.dmp

memory/2024-5-0x0000000000F10000-0x00000000013CE000-memory.dmp

memory/2024-16-0x0000000000F10000-0x00000000013CE000-memory.dmp

memory/2744-17-0x0000000000C60000-0x000000000111E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 7583f2c05935728d457b529dafe57880
SHA1 f8a2e4364c2b39b8d4b5c6d9bbe6af26b269cae1
SHA256 aa59cc30f588ae4fa87e9431daa1d522624672bb2b900bbeac36ecb7a8388bbc
SHA512 ddcfde847c7cd88087e155f4bb229870344db0f27aedfbc38edcf3d8637fbf94d8e934ff036193bd510bb0567a4ceba6ba80317c4ecd08ca9728178e6a5c3da5

memory/2024-18-0x0000000006B70000-0x000000000702E000-memory.dmp

memory/2744-20-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-19-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2024-10-0x0000000000F10000-0x00000000013CE000-memory.dmp

memory/2744-22-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-23-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-25-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-24-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-26-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-27-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-28-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-29-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-30-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-31-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-32-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-33-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-34-0x0000000000C60000-0x000000000111E000-memory.dmp

memory/2744-35-0x0000000000C60000-0x000000000111E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-10 12:03

Reported

2024-09-10 12:06

Platform

win10v2004-20240802-en

Max time kernel

1s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe

"C:\Users\Admin\AppData\Local\Temp\7583f2c05935728d457b529dafe57880N.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 31.41.244.10:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 10.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 31.41.244.11:80 31.41.244.11 tcp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4660-0-0x00000000004F0000-0x00000000009AE000-memory.dmp

memory/4660-1-0x00000000773A4000-0x00000000773A6000-memory.dmp

memory/4660-2-0x00000000004F1000-0x000000000051F000-memory.dmp

memory/4660-3-0x00000000004F0000-0x00000000009AE000-memory.dmp

memory/4660-5-0x00000000004F0000-0x00000000009AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 7583f2c05935728d457b529dafe57880
SHA1 f8a2e4364c2b39b8d4b5c6d9bbe6af26b269cae1
SHA256 aa59cc30f588ae4fa87e9431daa1d522624672bb2b900bbeac36ecb7a8388bbc
SHA512 ddcfde847c7cd88087e155f4bb229870344db0f27aedfbc38edcf3d8637fbf94d8e934ff036193bd510bb0567a4ceba6ba80317c4ecd08ca9728178e6a5c3da5

memory/4896-17-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4660-15-0x00000000004F0000-0x00000000009AE000-memory.dmp

memory/4896-19-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-18-0x00000000005B1000-0x00000000005DF000-memory.dmp

memory/4896-20-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-21-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-22-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-23-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-24-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-25-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-26-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-27-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/2584-29-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/2584-31-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/2584-30-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/2584-34-0x00000000005B1000-0x00000000005DF000-memory.dmp

memory/2584-33-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-35-0x00000000005B0000-0x0000000000A6E000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\750a71e0ca.exe

MD5 3ce070654e64d01bb14cb5694ee9ff57
SHA1 8ef1cffa571efde14cd3899654132ae5cd75aa49
SHA256 619ce48fa3869618fe7859a4c87106b6288eef555cd5bc839f7e49c30def8028
SHA512 e692068ed949405e97e7c69580b2a6e7e935449465958ad2077262fc067b3b68a3fa7d23d61d28cd1a07692211592d53667ce3e5ed98abc0afb94e51faf6a9d3

memory/4896-50-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-51-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-52-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-53-0x00000000005B0000-0x0000000000A6E000-memory.dmp

memory/4896-54-0x00000000005B0000-0x0000000000A6E000-memory.dmp