Overview

overview

10

Static

static

3

ea138d7d66...f7.exe

windows7-x64

10

ea138d7d66...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7.exe

  • Size

    1.8MB

  • MD5

    e9032bd6b7f9a11522cedfca03475bd2

  • SHA1

    c40aaa57ea60cf8e59eab614e9964e8b918da330

  • SHA256

    ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7

  • SHA512

    cd09ea873547c8481efe93b1c22d51c40ab29469d5184a56632b61811c596a5d042349c56473da86066b18c4068dc75cf2a1d3941ee0833f0b51115808f5fbd1

  • SSDEEP

    49152:a6FQLJIs5Yt1UfEjICgpaQ3/v+GHRRM3l:hqL0TSv+GxE

Score
10/10
amadey9c9aa5discoveryevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7.exe
    "C:\Users\Admin\AppData\Local\Temp\ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Local\Temp\1008335001\a18627f18c.exe
        "C:\Users\Admin\AppData\Local\Temp\1008335001\a18627f18c.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2300
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3976
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4536
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1008326001\7d55cf7296.exe
    Filesize

    256KB

    MD5

    8a3ac62b029ce1fe656e46ba9880fa5a

    SHA1

    01378aea6f65611b1a586acb8bfd3f4bb36da35e

    SHA256

    8311af9fe7e4578b3591025750a8057e3fe06387a4496aa79176caab7e840dcf

    SHA512

    eb9595e81861ca51f828d4185770bdd6258eaf2102c7d362c5426a19f8ca75c2fc8ef15db02daba85e6b354809bdfdaacbeb7847906db846e2487439b20f0509

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1008335001\a18627f18c.exe
    Filesize

    1.8MB

    MD5

    3fd8fbf9d0d8926b7accf16c4926e8d5

    SHA1

    ee55c5ca14d44195cc01a8096a34d7a65f99e48f

    SHA256

    2b479995dd51e8fe91a803ad304efe336588ca5ef5cd43f87cecb04af9bd7358

    SHA512

    da0ecc60bb83d69bf71b7cb2fb3844369fecbcb21ef7eee98aea37f6dfe68899782c98eff90fab85338240c2b1c0ea6aacadb22c732bc5fe20a9589f600284d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    Filesize

    1.8MB

    MD5

    e9032bd6b7f9a11522cedfca03475bd2

    SHA1

    c40aaa57ea60cf8e59eab614e9964e8b918da330

    SHA256

    ea138d7d66a019829246b7a005aeae4a983054dcc7f2785148a8891ecbee03f7

    SHA512

    cd09ea873547c8481efe93b1c22d51c40ab29469d5184a56632b61811c596a5d042349c56473da86066b18c4068dc75cf2a1d3941ee0833f0b51115808f5fbd1

    Download Submit

  • memory/896-1-0x00000000776A4000-0x00000000776A6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/896-2-0x0000000000A31000-0x0000000000A5F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/896-3-0x0000000000A30000-0x0000000000EF1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/896-4-0x0000000000A30000-0x0000000000EF1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/896-18-0x0000000000A30000-0x0000000000EF1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/896-0-0x0000000000A30000-0x0000000000EF1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1344-80-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1344-79-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-21-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-66-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-82-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-81-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-16-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-19-0x0000000000E61000-0x0000000000E8F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2052-43-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-44-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-45-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-20-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-77-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-62-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-76-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-64-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-65-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-75-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-67-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-68-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-74-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-73-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2052-72-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2300-63-0x0000000000B40000-0x0000000000FDF000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2300-61-0x0000000000B40000-0x0000000000FDF000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3976-24-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3976-23-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3976-27-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3976-28-0x0000000000E61000-0x0000000000E8F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3976-25-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4536-71-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4536-70-0x0000000000E60000-0x0000000001321000-memory.dmp

    Filesize

    4.8MB

    Download