Analysis
-
max time kernel
111s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16-01-2025 02:18
General
-
Target
cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4fN.exe
-
Size
1.9MB
-
MD5
ceb82cb200a0c9146b43093f70657510
-
SHA1
3ab9c90eb09c1f6cea530c3911e606b661cc4db6
-
SHA256
cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4f
-
SHA512
3930892e787513fd8c060068d223ca14d3a27c5ba410973f28444b4fc3696575e9777bc991d433048d15ec7598367cfb2650008d8a3d88907767750a8575a844
-
SSDEEP
49152:LMoQjRRxtOi2J7laOuW5JBIpiNH1TQ8SXTp+:8jfxURCSIpuHSVV+
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4fN.exe"C:\Users\Admin\AppData\Local\Temp\cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4fN.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ceb82cb200a0c9146b43093f70657510
SHA13ab9c90eb09c1f6cea530c3911e606b661cc4db6
SHA256cf69f87d2720d622d42c1926340408e133e4ddceb35cf41f904f440d30a62c4f
SHA5123930892e787513fd8c060068d223ca14d3a27c5ba410973f28444b4fc3696575e9777bc991d433048d15ec7598367cfb2650008d8a3d88907767750a8575a844
-
Filesize
4.9MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB