amadey | e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
12/02/2025, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
Size

1.9MB
MD5

a0dc17e6ae3783b033755a61c7cc0220
SHA1

0db682b1d80011abb57aa8ce76c1b2be00768323
SHA256

e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4b
SHA512

3148c635031356e12dad4f85141eede3bfbf979b441763f7ef29328ad3eef671d5598ac53b34563a64dfc404566611ab30b3c39eaf92a33ed5df590729ce0c44
SSDEEP

24576:J7PYlhBjkG7uzwoZ5+J1R7+u0gBdHT3LHulBbZi37tqHrqDz/poNgNeggahXGG1n:UoARq+BRurcRqLqfhAgNegg8+zDxZC

Score

10^/10

amadey 9c9aa5 fed3aa defense_evasion discovery persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	893db0f4c8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
5	2404	axplong.exe
9	1320	skotes.exe
10	2404	axplong.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	893db0f4c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	893db0f4c8.exe

Executes dropped EXE 3 IoCs

pid	Process
2404	axplong.exe
2052	893db0f4c8.exe
1320	skotes.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	893db0f4c8.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	skotes.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
2404	axplong.exe
2404	axplong.exe
2052	893db0f4c8.exe
2052	893db0f4c8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\893db0f4c8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020085001\\893db0f4c8.exe"	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
2404	axplong.exe
2052	893db0f4c8.exe
1320	skotes.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
File created	C:\Windows\Tasks\skotes.job	893db0f4c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	893db0f4c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
2404	axplong.exe
2052	893db0f4c8.exe
1320	skotes.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
2052	893db0f4c8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2404	2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe	30
PID 2368 wrote to memory of 2404	2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe	30
PID 2368 wrote to memory of 2404	2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe	30
PID 2368 wrote to memory of 2404	2368	e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe	30
PID 2404 wrote to memory of 2052	2404	axplong.exe	33
PID 2404 wrote to memory of 2052	2404	axplong.exe	33
PID 2404 wrote to memory of 2052	2404	axplong.exe	33
PID 2404 wrote to memory of 2052	2404	axplong.exe	33
PID 2052 wrote to memory of 1320	2052	893db0f4c8.exe	34
PID 2052 wrote to memory of 1320	2052	893db0f4c8.exe	34
PID 2052 wrote to memory of 1320	2052	893db0f4c8.exe	34
PID 2052 wrote to memory of 1320	2052	893db0f4c8.exe	34

C:\Users\Admin\AppData\Local\Temp\e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe
"C:\Users\Admin\AppData\Local\Temp\e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4bN.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\1020085001\893db0f4c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1020085001\893db0f4c8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1020084001\6617dc632c.exe

Filesize
544KB

MD5
eb288e763e2f9d54fe8786d0c6cfd48c

SHA1
cac74ad31005476832ad998bd0e62c82437f7192

SHA256
777a8450ca4000af99979336c5a2177574f43bfab7314c2924b6cd8c9eb9c392

SHA512
f77f5163395fc18d4be91c63151fd9f1e3d231e8843f3bc68ccd54a2dd16ac20b0bb4303bb54f763fa4f94e4bc8ccd1871088f5c985d29ade33a03608dc9bd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1020085001\893db0f4c8.exe

Filesize
1.8MB

MD5
9174f938f1be0f893f8d79b44ea6cc7c

SHA1
007b30011e65f89236823746a0a5e51d4f50f8db

SHA256
c383bb5fa422600fa2d1b19394a44cbb0942ebbf7b12014d20331b383daf07f3

SHA512
e9bbe0d170a8e941e299b5bb164ca5a8bd2b79b29c52d98e74363e736bba76375f2e3ba616da02db7b17607dd9d505dce7ef172ff28afb430555ee516e6a17fb

Download Submit
\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.9MB

MD5
a0dc17e6ae3783b033755a61c7cc0220

SHA1
0db682b1d80011abb57aa8ce76c1b2be00768323

SHA256
e4a33eb510ba1b6a58de052563024283efeab7d4aca9993d16091d69cd50bb4b

SHA512
3148c635031356e12dad4f85141eede3bfbf979b441763f7ef29328ad3eef671d5598ac53b34563a64dfc404566611ab30b3c39eaf92a33ed5df590729ce0c44

Download Submit
memory/1320-90-0x0000000000A70000-0x0000000000F30000-memory.dmp

Filesize
4.8MB

Download
memory/1320-88-0x0000000000A70000-0x0000000000F30000-memory.dmp

Filesize
4.8MB

Download
memory/1320-79-0x0000000000A70000-0x0000000000F30000-memory.dmp

Filesize
4.8MB

Download
memory/1320-84-0x0000000000A70000-0x0000000000F30000-memory.dmp

Filesize
4.8MB

Download
memory/1320-92-0x0000000000A70000-0x0000000000F30000-memory.dmp

Filesize
4.8MB

Download
memory/1320-86-0x0000000000A70000-0x0000000000F30000-memory.dmp

Filesize
4.8MB

Download
memory/2052-76-0x0000000000FC0000-0x0000000001480000-memory.dmp

Filesize
4.8MB

Download
memory/2052-60-0x0000000000FC0000-0x0000000001480000-memory.dmp

Filesize
4.8MB

Download
memory/2052-83-0x0000000007200000-0x00000000076C0000-memory.dmp

Filesize
4.8MB

Download
memory/2052-75-0x0000000007200000-0x00000000076C0000-memory.dmp

Filesize
4.8MB

Download
memory/2052-77-0x0000000007200000-0x00000000076C0000-memory.dmp

Filesize
4.8MB

Download
memory/2368-16-0x0000000007110000-0x00000000075EC000-memory.dmp

Filesize
4.9MB

Download
memory/2368-18-0x0000000007110000-0x00000000075EC000-memory.dmp

Filesize
4.9MB

Download
memory/2368-21-0x0000000000CD0000-0x00000000011AC000-memory.dmp

Filesize
4.9MB

Download
memory/2368-4-0x0000000000CD0000-0x00000000011AC000-memory.dmp

Filesize
4.9MB

Download
memory/2368-3-0x0000000000CD0000-0x00000000011AC000-memory.dmp

Filesize
4.9MB

Download
memory/2368-2-0x0000000000CD1000-0x0000000000CFF000-memory.dmp

Filesize
184KB

Download
memory/2368-0-0x0000000000CD0000-0x00000000011AC000-memory.dmp

Filesize
4.9MB

Download
memory/2368-1-0x0000000077070000-0x0000000077072000-memory.dmp

Filesize
8KB

Download
memory/2404-42-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-61-0x00000000067D0000-0x0000000006C90000-memory.dmp

Filesize
4.8MB

Download
memory/2404-59-0x00000000067D0000-0x0000000006C90000-memory.dmp

Filesize
4.8MB

Download
memory/2404-31-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-30-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-29-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-28-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-81-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-82-0x00000000067D0000-0x0000000006C90000-memory.dmp

Filesize
4.8MB

Download
memory/2404-27-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-26-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-85-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-25-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-87-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-24-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-89-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-22-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-91-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download
memory/2404-19-0x0000000000900000-0x0000000000DDC000-memory.dmp

Filesize
4.9MB

Download