amadey | 17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Size

1.8MB
MD5

4cf346373d331ff441b71ae12c4420ff
SHA1

e4d53520a0b925b9122cba1f9f7cac6661ac014c
SHA256

17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa
SHA512

d82d681438a1df724b3b698d12049f0b4b11c829ec94de15bbf7c68a1b456675b4a5e2fa0f25a67d8daf6da28310df508f88b3cc0906fe02eb43a0c36dcb7a09
SSDEEP

49152:9fRIz2Mkd2gce9Umg7kce1AmWp6/9V/eIxe2Lj4zVUw5xJS:1R6vkd2synNbm4k9V/eMeIwP5xJ

Score

10^/10

amadey gcleaner stealc fed3aa stok discovery evasion loader persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	07ef1ab3cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	af9c45808b.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	07ef1ab3cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	07ef1ab3cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	af9c45808b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	af9c45808b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe

Executes dropped EXE 3 IoCs

pid	Process
2832	axplong.exe
784	07ef1ab3cb.exe
2964	af9c45808b.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	07ef1ab3cb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	af9c45808b.exe

Loads dropped DLL 7 IoCs

pid	Process
3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2832	axplong.exe
2832	axplong.exe
2832	axplong.exe
2832	axplong.exe
2964	af9c45808b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\07ef1ab3cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006312001\\07ef1ab3cb.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\af9c45808b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006313001\\af9c45808b.exe"	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2832	axplong.exe
784	07ef1ab3cb.exe
2964	af9c45808b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07ef1ab3cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af9c45808b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
2832	axplong.exe
784	07ef1ab3cb.exe
2964	af9c45808b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2832	3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 3068 wrote to memory of 2832	3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 3068 wrote to memory of 2832	3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 3068 wrote to memory of 2832	3068	17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe	30
PID 2832 wrote to memory of 784	2832	axplong.exe	32
PID 2832 wrote to memory of 784	2832	axplong.exe	32
PID 2832 wrote to memory of 784	2832	axplong.exe	32
PID 2832 wrote to memory of 784	2832	axplong.exe	32
PID 2832 wrote to memory of 2964	2832	axplong.exe	34
PID 2832 wrote to memory of 2964	2832	axplong.exe	34
PID 2832 wrote to memory of 2964	2832	axplong.exe	34
PID 2832 wrote to memory of 2964	2832	axplong.exe	34

C:\Users\Admin\AppData\Local\Temp\17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe
"C:\Users\Admin\AppData\Local\Temp\17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\1006312001\07ef1ab3cb.exe
    "C:\Users\Admin\AppData\Local\Temp\1006312001\07ef1ab3cb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:784
- - C:\Users\Admin\AppData\Local\Temp\1006313001\af9c45808b.exe
    "C:\Users\Admin\AppData\Local\Temp\1006313001\af9c45808b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006312001\07ef1ab3cb.exe

Filesize
1.7MB

MD5
d56131124b8e4e066eea0e28f52acb58

SHA1
d85cdef5646de4cfc1706a0a6ded1f3351ad5328

SHA256
f0c4cd81ab87a1128667b1c96409a2469cc55af7fd914aa286f9708c21aaad54

SHA512
23f3cf2de7e40d59fe05270451f19068506ee4de685ef5a41b243196e7e07a55bf5598eb86bed98b4b66a218c5ce97d6e5dcc685aa6b69ca31ffd333596b5959

Download Submit
C:\Users\Admin\AppData\Local\Temp\1006313001\af9c45808b.exe

Filesize
1.9MB

MD5
2e164f8eb316718ae1c48ed84e05dc9f

SHA1
653b1c1598a62782b58e52dd3f2c53355aad94fa

SHA256
323426e01a17e9974e2c710c0708a7232d250a2a7aa815ee7fdfac5f634af0e2

SHA512
4c47f3284fb5220338700b8a86892184fc9956844dd041a88b47d35ebabbb4a70a3922158f02c3f40e594a74f70e6c1f929750404a2b09240535ed7d91dce4a4

Download Submit
\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
4cf346373d331ff441b71ae12c4420ff

SHA1
e4d53520a0b925b9122cba1f9f7cac6661ac014c

SHA256
17f29ebe12b697ea77345bb9c0cf3c55c411783dc717c4bf5fa65e9af42686fa

SHA512
d82d681438a1df724b3b698d12049f0b4b11c829ec94de15bbf7c68a1b456675b4a5e2fa0f25a67d8daf6da28310df508f88b3cc0906fe02eb43a0c36dcb7a09

Download Submit
\Users\Admin\AppData\Local\Temp\e552fJRZ5Kf04e6ZwdwedwYs\Y-Cleaner.exe

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
memory/784-71-0x00000000000B0000-0x0000000000741000-memory.dmp

Filesize
6.6MB

Download
memory/784-48-0x00000000000B0000-0x0000000000741000-memory.dmp

Filesize
6.6MB

Download
memory/2832-72-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-117-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-121-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-120-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-23-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-25-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-24-0x0000000000DA1000-0x0000000000DCF000-memory.dmp

Filesize
184KB

Download
memory/2832-26-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-28-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-119-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-46-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-45-0x0000000006690000-0x0000000006D21000-memory.dmp

Filesize
6.6MB

Download
memory/2832-118-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-47-0x0000000006690000-0x0000000006D21000-memory.dmp

Filesize
6.6MB

Download
memory/2832-49-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-93-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-65-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-68-0x0000000006690000-0x0000000006EFE000-memory.dmp

Filesize
8.4MB

Download
memory/2832-116-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-115-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-114-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-67-0x0000000006690000-0x0000000006EFE000-memory.dmp

Filesize
8.4MB

Download
memory/2832-73-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-74-0x0000000006690000-0x0000000006D21000-memory.dmp

Filesize
6.6MB

Download
memory/2832-75-0x0000000006690000-0x0000000006D21000-memory.dmp

Filesize
6.6MB

Download
memory/2832-76-0x0000000006690000-0x0000000006EFE000-memory.dmp

Filesize
8.4MB

Download
memory/2832-113-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-112-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-79-0x0000000006690000-0x0000000006EFE000-memory.dmp

Filesize
8.4MB

Download
memory/2832-81-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2832-100-0x0000000000DA0000-0x0000000001274000-memory.dmp

Filesize
4.8MB

Download
memory/2964-99-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download
memory/2964-80-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download
memory/2964-69-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download
memory/2964-78-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download
memory/2964-85-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2964-92-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download
memory/2964-111-0x0000000000400000-0x0000000000C6E000-memory.dmp

Filesize
8.4MB

Download
memory/3068-1-0x0000000077280000-0x0000000077282000-memory.dmp

Filesize
8KB

Download
memory/3068-19-0x0000000006380000-0x0000000006854000-memory.dmp

Filesize
4.8MB

Download
memory/3068-2-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

Filesize
184KB

Download
memory/3068-4-0x0000000000AB0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/3068-0-0x0000000000AB0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/3068-3-0x0000000000AB0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/3068-6-0x0000000000AB0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/3068-10-0x0000000000AB0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/3068-22-0x0000000000AB0000-0x0000000000F84000-memory.dmp

Filesize
4.8MB

Download
memory/3068-18-0x0000000006380000-0x0000000006854000-memory.dmp

Filesize
4.8MB

Download