Malware Analysis Report

2024-10-18 23:30

Sample ID 240913-h528js1fqh
Target c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b
SHA256 c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b
Tags
amadey fed3aa discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b

Threat Level: Known bad

The file c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b was found to be: Known bad.

Malicious Activity Summary

amadey fed3aa discovery evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 07:20

Reported

2024-09-13 07:22

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe

"C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2420-0-0x0000000000DE0000-0x00000000012A0000-memory.dmp

memory/2420-1-0x0000000077174000-0x0000000077176000-memory.dmp

memory/2420-2-0x0000000000DE1000-0x0000000000E0F000-memory.dmp

memory/2420-3-0x0000000000DE0000-0x00000000012A0000-memory.dmp

memory/2420-4-0x0000000000DE0000-0x00000000012A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 cc44f606e0c1a406f099613b4928930a
SHA1 470ce8ec93354cefeccd66b5635461f7e55771fb
SHA256 c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b
SHA512 e1560c39adfa5af48defd1a2bd9e461a3e3fd2d6195d4a6596a5c1f9d966e6ccb911c1854bee89094df8a1c156cd25f9fa9e1d312cae71d7a40051da2ee5fe8c

memory/2420-16-0x0000000000DE0000-0x00000000012A0000-memory.dmp

memory/5024-17-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-19-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-20-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-21-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-22-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-23-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-24-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-25-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-26-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-27-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-28-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/2160-30-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/2160-31-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/2160-33-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-34-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-35-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-36-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-37-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-38-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-39-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/2432-41-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-42-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-43-0x0000000000B00000-0x0000000000FC0000-memory.dmp

memory/5024-44-0x0000000000B00000-0x0000000000FC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 07:20

Reported

2024-09-13 07:22

Platform

win11-20240802-en

Max time kernel

142s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe

"C:\Users\Admin\AppData\Local\Temp\c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp

Files

memory/3588-0-0x0000000000E80000-0x0000000001340000-memory.dmp

memory/3588-1-0x00000000770F6000-0x00000000770F8000-memory.dmp

memory/3588-2-0x0000000000E81000-0x0000000000EAF000-memory.dmp

memory/3588-3-0x0000000000E80000-0x0000000001340000-memory.dmp

memory/3588-4-0x0000000000E80000-0x0000000001340000-memory.dmp

memory/3588-5-0x0000000000E80000-0x0000000001340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 cc44f606e0c1a406f099613b4928930a
SHA1 470ce8ec93354cefeccd66b5635461f7e55771fb
SHA256 c19b53d7d6cfa7b297f0aa783c701ca73d2259036102ebb748398ad8ca847e5b
SHA512 e1560c39adfa5af48defd1a2bd9e461a3e3fd2d6195d4a6596a5c1f9d966e6ccb911c1854bee89094df8a1c156cd25f9fa9e1d312cae71d7a40051da2ee5fe8c

memory/3588-18-0x0000000000E80000-0x0000000001340000-memory.dmp

memory/1888-19-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-20-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-21-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-22-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-23-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-24-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-25-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-26-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-27-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-28-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/3068-30-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/3068-31-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/3068-32-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/3068-34-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-35-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-36-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-37-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-38-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-39-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-40-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/2332-42-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-43-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-44-0x0000000000CE0000-0x00000000011A0000-memory.dmp

memory/1888-45-0x0000000000CE0000-0x00000000011A0000-memory.dmp