Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    3.0MB

  • MD5

    2afae348eca56f5a910f8e57dcf0a31f

  • SHA1

    a6ac3775a8e74dd2a3efe190af54b488803464b2

  • SHA256

    4f30e0285d3aac1a24b85e13a7067a801be9cec1aaf14671bdc96778f70d2aa9

  • SHA512

    71bfc9e452507034abf6a9c57c4c0d6d40474c2253501a971728ae29b39a5f44be6ee88df2706422d74ea3cd05ac42b8261d2c4b1b8d3af41fba2f8717538dd1

  • SSDEEP

    49152:xOx8PYLHD4HZrE7CGsP1o7nh8J6LcPsnEUFTjnTK2+vyU5/UwICjV:x7FGsPm7nh8J6Lc0EUo2eyU5/dI

Score
10/10
amadey9c9aa5discoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe
        "C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:408
      • C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe
        "C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2552
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3812
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    84525ac2c52cedf67aa38131b3f41efb

    SHA1

    080afd23b33aabd0285594d580d21acde7229173

    SHA256

    ae524d9d757bed48d552b059f951ffd25a7d963ae44a554cb1f3a9641e524080

    SHA512

    d898b0913b4005bbbf22a5457ad1e86345860868bc2e53187ad8267c07824d592160a27d850978ebfe78392db784fffb80b73e27418d3a71708383d738ea1d57

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    34cf1c9203d06962eea6d9a60cfb2d66

    SHA1

    200e3cdaa4988d5b8ca91aa65b2a640e2b58b5d9

    SHA256

    7d29d2f9a9156ca8d043a9b2d0b1266e605d199c909faa85931126eadfe49003

    SHA512

    a9bec478ee08e83f94475916e38817ca2939f5f4c1fc3666f9272171d521da43987ac5ab083caef42ef2c883152a3d16e5dbced256ceff569c9161c136d96dfa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe
    Filesize

    896KB

    MD5

    2d18c31e3cf2aca245f7af53c95e736e

    SHA1

    a83fc310ca32d2ec3b09aa1e922fa9fae3ee3dc8

    SHA256

    4ca82d9cd9b76815f9b71ec9a19b08710aa887590e45458aba34e4b8b4ffc102

    SHA512

    60a4bc5f9d464231582ff20c58cd1835f58461c4dbe6ee4f3d8b30159f4c8a7e401f55ad3443c8a3856cc9b2a2d41c280a74506440489ed2030517d50a691d18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe
    Filesize

    591KB

    MD5

    3567cb15156760b2f111512ffdbc1451

    SHA1

    2fdb1f235fc5a9a32477dab4220ece5fda1539d4

    SHA256

    0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630

    SHA512

    e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    Filesize

    3.0MB

    MD5

    2afae348eca56f5a910f8e57dcf0a31f

    SHA1

    a6ac3775a8e74dd2a3efe190af54b488803464b2

    SHA256

    4f30e0285d3aac1a24b85e13a7067a801be9cec1aaf14671bdc96778f70d2aa9

    SHA512

    71bfc9e452507034abf6a9c57c4c0d6d40474c2253501a971728ae29b39a5f44be6ee88df2706422d74ea3cd05ac42b8261d2c4b1b8d3af41fba2f8717538dd1

    Download Submit

  • memory/1532-58-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2440-3-0x0000000000FF0000-0x00000000012F7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2440-15-0x0000000000FF0000-0x00000000012F7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2440-17-0x0000000000FF1000-0x0000000001059000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2440-4-0x0000000000FF0000-0x00000000012F7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2440-0-0x0000000000FF0000-0x00000000012F7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2440-2-0x0000000000FF1000-0x0000000001059000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2440-1-0x00000000774D4000-0x00000000774D6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2732-28-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-37-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-25-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-26-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-27-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-23-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-29-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-30-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-18-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-19-0x00000000008C1000-0x0000000000929000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2732-100-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-78-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-36-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-24-0x00000000008C1000-0x0000000000929000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2732-38-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-39-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-22-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-54-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-55-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-21-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-59-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-20-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3812-35-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3812-34-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3812-33-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3812-32-0x00000000008C0000-0x0000000000BC7000-memory.dmp

    Filesize

    3.0MB

    Download