Malware Analysis Report

2024-10-18 23:35

Sample ID 240926-2g8vzathke
Target 2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6
SHA256 2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6
Tags
amadey fed3aa discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6

Threat Level: Known bad

The file 2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6 was found to be: Known bad.

Malicious Activity Summary

amadey fed3aa discovery evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 22:34

Reported

2024-09-26 22:39

Platform

win7-20240903-en

Max time kernel

290s

Max time network

260s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe

"C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.16:80 185.215.113.16 tcp

Files

memory/2964-0-0x00000000013A0000-0x000000000186F000-memory.dmp

memory/2964-1-0x0000000077040000-0x0000000077042000-memory.dmp

memory/2964-2-0x00000000013A1000-0x00000000013CF000-memory.dmp

memory/2964-3-0x00000000013A0000-0x000000000186F000-memory.dmp

memory/2964-5-0x00000000013A0000-0x000000000186F000-memory.dmp

memory/2964-10-0x00000000013A0000-0x000000000186F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 e914e6089699d5fa9359558f576720a0
SHA1 4fe9597d8b7fed7012218c8973a1b3f87a9cf636
SHA256 2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6
SHA512 fb23af38bcc4c860c3912dde55767d80392a7a5c59cea5679c7ed45b75cf2b905bfbd84233cceb283b020c71195eef54d7ef6d6e5e8e771532810dcfdc6832ea

memory/2964-16-0x00000000013A0000-0x000000000186F000-memory.dmp

memory/2748-17-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-18-0x0000000000361000-0x000000000038F000-memory.dmp

memory/2748-19-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-21-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-22-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-23-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-24-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-25-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-26-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-27-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-28-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-29-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-30-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-31-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-32-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-33-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-34-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-35-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-36-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-37-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-38-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-39-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-40-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-41-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-42-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-43-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-44-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-45-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-46-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-47-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-48-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-49-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-50-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-51-0x0000000000360000-0x000000000082F000-memory.dmp

memory/2748-52-0x0000000000360000-0x000000000082F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-26 22:34

Reported

2024-09-26 22:39

Platform

win10-20240404-en

Max time kernel

292s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe

"C:\Users\Admin\AppData\Local\Temp\2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/420-0-0x00000000012F0000-0x00000000017BF000-memory.dmp

memory/420-1-0x0000000077194000-0x0000000077195000-memory.dmp

memory/420-2-0x00000000012F1000-0x000000000131F000-memory.dmp

memory/420-3-0x00000000012F0000-0x00000000017BF000-memory.dmp

memory/420-4-0x00000000012F0000-0x00000000017BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 e914e6089699d5fa9359558f576720a0
SHA1 4fe9597d8b7fed7012218c8973a1b3f87a9cf636
SHA256 2a7a31ebd8784c214b9426dd648b56c1c8dd56524b64837bb459939aaaa53ba6
SHA512 fb23af38bcc4c860c3912dde55767d80392a7a5c59cea5679c7ed45b75cf2b905bfbd84233cceb283b020c71195eef54d7ef6d6e5e8e771532810dcfdc6832ea

memory/420-14-0x00000000012F0000-0x00000000017BF000-memory.dmp

memory/4428-15-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-16-0x00000000000E1000-0x000000000010F000-memory.dmp

memory/4428-17-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-18-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-19-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-20-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-21-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-22-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-23-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/220-25-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/220-26-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-27-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-28-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-29-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-30-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-31-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-32-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/652-34-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/652-35-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-36-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-37-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-38-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-39-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-40-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-41-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/1232-43-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-44-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-45-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-46-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-47-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-48-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-49-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/1400-51-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-52-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-53-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-54-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-55-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-56-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-57-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4356-59-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-60-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-61-0x00000000000E0000-0x00000000005AF000-memory.dmp

memory/4428-62-0x00000000000E0000-0x00000000005AF000-memory.dmp