amadey | 7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0

General

Target

7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
Size

2.9MB
MD5

375e153f654df2bfdb976c882b45f7ee
SHA1

3cfb6520e5738940933a67b55c604342f9524cac
SHA256

7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0
SHA512

7256dca53420886d81863fc80d5aa4cb3b6d97f089d3f43ea55b12cbb52608533c26a7b38edd2deb5a191ad06aa26ef9f563f6b48f3722d5c875646a9f4de2d5
SSDEEP

49152:cNhhKC1DLsZ9d7L1GjQyptUw9+4auCYjAuLd:cNhh/VLGJd4atkA+

Score

10^/10

amadey 9c9aa5 discovery evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 3 IoCs

pid	Process
1224	skotes.exe
228	skotes.exe
1708	skotes.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
1224	skotes.exe
228	skotes.exe
1708	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
1224	skotes.exe
1224	skotes.exe
228	skotes.exe
228	skotes.exe
1708	skotes.exe
1708	skotes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1224	4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe	85
PID 4188 wrote to memory of 1224	4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe	85
PID 4188 wrote to memory of 1224	4188	7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe	85

C:\Users\Admin\AppData\Local\Temp\7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe
"C:\Users\Admin\AppData\Local\Temp\7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1224

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1018586001\KDLBJP7.exe

Filesize
2.1MB

MD5
358366eb03d4e00ab4b8be79a80313bb

SHA1
68b7eea78b9b6f81e8e5dd60e6c8e0776b5331fd

SHA256
810096be16ba02c85e96c0f07ed45d2ad7e1f387cb69fdc126cf6b9cb3c1ec1f

SHA512
5e821716a2d93336215fcec5afda9dccc8f00ee718dd91b3a0886c130ec537c596073d58639576f9ad6686cbd3bcb9114819dca073d147feceeee3b62d2a4b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe

Filesize
496KB

MD5
996f5965db414377ff5ce73eef20a563

SHA1
aa53160564b1672b188839450cb88d6c9f36a514

SHA256
e34c4721e8545898750afbe6d5e7930cf2ac3a6f77dcd5695a38fdded19475ff

SHA512
a0c2b7b182bdae6c0c2e0762ce80b8bb793c5c00557f51fc04de77d1a00a8db5e3afc50c3c4f36b324938f3364cb3b9b6815a5706cd077fd16adeaa6de556d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.9MB

MD5
375e153f654df2bfdb976c882b45f7ee

SHA1
3cfb6520e5738940933a67b55c604342f9524cac

SHA256
7e3f4addd4c62ae1a2f9aa96c4f38993817c1299500af0ac75a500c42a05c3c0

SHA512
7256dca53420886d81863fc80d5aa4cb3b6d97f089d3f43ea55b12cbb52608533c26a7b38edd2deb5a191ad06aa26ef9f563f6b48f3722d5c875646a9f4de2d5

Download Submit
memory/228-49-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/228-47-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/228-46-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-18-0x00000000008D1000-0x00000000008FF000-memory.dmp

Filesize
184KB

Download
memory/1224-44-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-59-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-19-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-21-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-20-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-22-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-23-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-24-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-25-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-26-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-27-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-28-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-29-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-58-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-16-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-57-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-54-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-53-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-50-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-51-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1224-52-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/1708-56-0x00000000008D0000-0x0000000000BED000-memory.dmp

Filesize
3.1MB

Download
memory/4188-2-0x00000000006E1000-0x000000000070F000-memory.dmp

Filesize
184KB

Download
memory/4188-3-0x00000000006E0000-0x00000000009FD000-memory.dmp

Filesize
3.1MB

Download
memory/4188-4-0x00000000006E0000-0x00000000009FD000-memory.dmp

Filesize
3.1MB

Download
memory/4188-15-0x00000000006E0000-0x00000000009FD000-memory.dmp

Filesize
3.1MB

Download
memory/4188-0-0x00000000006E0000-0x00000000009FD000-memory.dmp

Filesize
3.1MB

Download
memory/4188-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads