amadey | 10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6

Analysis

max time kernel
143s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe
Size

7.3MB
MD5

68ed6eb42e4f604269632fb1f140454e
SHA1

865d58f1e293028bf1e2ccd923f2ca3e67d68b2b
SHA256

10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6
SHA512

5d4fbb011839d60c5d6da8a6c6f83ef0b1bbf6809514117c96d1f9e9eed0fd6d962479861eebb6f71a660cbee73fa3b551289b34f750e00551ca77fa2f947199
SSDEEP

196608:5J6UczK1DpX5jlVUpjCWhOKiV91FsWTxZKsQIZIzAsTqot0e9:5N0KbX5jEpj9hlaPsoxZGdWe

Score

10^/10

amadey 9c9aa5 discovery evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1k73S7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2m8966.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2m8966.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1k73S7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1k73S7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2m8966.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	1k73S7.exe

Executes dropped EXE 8 IoCs

pid	Process
456	s5F60.exe
1644	H7n39.exe
1692	1k73S7.exe
1452	skotes.exe
3180	2m8966.exe
4044	skotes.exe
4400	skotes.exe
2876	skotes.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	2m8966.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	1k73S7.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	s5F60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	H7n39.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1692	1k73S7.exe
3180	2m8966.exe
1452	skotes.exe
4044	skotes.exe
4400	skotes.exe
2876	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1k73S7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1k73S7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2m8966.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s5F60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H7n39.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1692	1k73S7.exe
1692	1k73S7.exe
3180	2m8966.exe
3180	2m8966.exe
1452	skotes.exe
1452	skotes.exe
4044	skotes.exe
4044	skotes.exe
4400	skotes.exe
4400	skotes.exe
2876	skotes.exe
2876	skotes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	1k73S7.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 456	4848	10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe	83
PID 4848 wrote to memory of 456	4848	10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe	83
PID 4848 wrote to memory of 456	4848	10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe	83
PID 456 wrote to memory of 1644	456	s5F60.exe	84
PID 456 wrote to memory of 1644	456	s5F60.exe	84
PID 456 wrote to memory of 1644	456	s5F60.exe	84
PID 1644 wrote to memory of 1692	1644	H7n39.exe	85
PID 1644 wrote to memory of 1692	1644	H7n39.exe	85
PID 1644 wrote to memory of 1692	1644	H7n39.exe	85
PID 1692 wrote to memory of 1452	1692	1k73S7.exe	86
PID 1692 wrote to memory of 1452	1692	1k73S7.exe	86
PID 1692 wrote to memory of 1452	1692	1k73S7.exe	86
PID 1644 wrote to memory of 3180	1644	H7n39.exe	87
PID 1644 wrote to memory of 3180	1644	H7n39.exe	87
PID 1644 wrote to memory of 3180	1644	H7n39.exe	87

C:\Users\Admin\AppData\Local\Temp\10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe
"C:\Users\Admin\AppData\Local\Temp\10b72f151dee3d7075be704a726e609b0a42bff9f75420b5bf952e03757e8ea6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5F60.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5F60.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H7n39.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H7n39.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1k73S7.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1k73S7.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m8966.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m8966.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3180

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5F60.exe

Filesize
5.5MB

MD5
ab887861d0251753f5fbe626c20198e3

SHA1
4fcc5954a4a98923c2caf0d8d4eb1b53c2e0abe9

SHA256
b5f1dc814ecd6bef988353fcb726c0d30e9f212974f967cfa7d97f0a70a9c453

SHA512
9ced542e00e906b7a78987b85d224733b845abb57515eda0b6ccd81eb5a074c88d8bf6e476f7de9d6eb8556daa152e025fc423d1de6ec22a5e414742a99ed2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H7n39.exe

Filesize
3.7MB

MD5
8a79ba240db70a299cb5d58c69d053cb

SHA1
ab3f168f4b9bbbbc430012750295bc9997c19c74

SHA256
81727e0284291811b884c77854486190f7a1e99fc80e9983399494b18ff94580

SHA512
0871b9933e3499fb19ae21cbdd3cd43943c4343bfbbdc53484cf0f5a874233a29c5ce91cac29afe8b09d1667f9e2e94347edefc4d4e0d8a3ecce00fd5e4c1749

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1k73S7.exe

Filesize
1.8MB

MD5
2c780bd0b93d85afbad23124cf8994c2

SHA1
267288b40a48cdb0aee1bcf8972f4e25ff72f4ff

SHA256
96a1eea0f525785429d36cff82916e54227be6a3750796e05d594e952a213ec2

SHA512
d2eb2bb12b7484a10f9517c2bb1f1095e5d234aedfa7730b9196e95b004d3db0fb79095a97d1643ee13db04b66f1718f9ab1a479e6fa97f811a6fb503b91bbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2m8966.exe

Filesize
1.8MB

MD5
6086c2c27043a6e017f55556c3356747

SHA1
baaff58e47a168b45ea4284338263065fc5826ff

SHA256
3a97a7fc9f3ba2e678694a42d704bbc75ae15b81790d78cc18e27761ecb3a8d3

SHA512
cc2b305aaacf23f4346f1e1828dbdcad5f4ef76553b7186739ac290806570062afe5431dba8d527788e5724dd88ff083dc2e38ad408920df79b7b24d4a94b0d4

Download Submit
memory/1452-46-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-64-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-66-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-80-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-78-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-33-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-44-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-54-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-62-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-56-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-48-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-72-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-50-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-70-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-52-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1452-68-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/1692-20-0x0000000000C70000-0x0000000001141000-memory.dmp

Filesize
4.8MB

Download
memory/1692-35-0x0000000000C70000-0x0000000001141000-memory.dmp

Filesize
4.8MB

Download
memory/2876-77-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/2876-75-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/3180-45-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-69-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-81-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-63-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-57-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-65-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-55-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-67-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-53-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-39-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-51-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-71-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-73-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-49-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-47-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/3180-79-0x00000000002B0000-0x000000000075B000-memory.dmp

Filesize
4.7MB

Download
memory/4044-41-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/4044-43-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/4400-61-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download
memory/4400-59-0x00000000005D0000-0x0000000000AA1000-memory.dmp

Filesize
4.8MB

Download