amadey | c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8

Analysis

max time kernel
296s
max time network
298s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-02-2025 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

bc3b0fcb68c9a3e6ce6ee8b3b9c258f6
SHA1

edde275eb12f3e35413bf5872034ed7fe318ee68
SHA256

c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8
SHA512

7f1b24935b2e0746aa57ce2bc2208b7756556de44e759073539e434fcaa859a1be62ea554999468bba9948de54038f7ee389ff80effcd2ba4e2d238cc86e4d83
SSDEEP

49152:y3OcrT0HpwEszQyM6w1muKtmMSb65a2wz3pcM:K4GJzbM6qmuKtjSb65ybV

Score

10^/10

amadey fed3aa defense_evasion discovery trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
35	3856	Process not Found
53	3856	Process not Found
43	2896	Process not Found
52	4640	axplong.exe
58	4640	axplong.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Control Panel\International\Geo\Nation	axplong.exe

Executes dropped EXE 6 IoCs

pid	Process
4640	axplong.exe
4456	axplong.exe
1540	axplong.exe
2100	axplong.exe
4528	axplong.exe
4232	axplong.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Software\Wine	axplong.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3728	random.exe
4640	axplong.exe
4456	axplong.exe
1540	axplong.exe
2100	axplong.exe
4528	axplong.exe
4232	axplong.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	random.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
472	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3728	random.exe
3728	random.exe
4640	axplong.exe
4640	axplong.exe
4456	axplong.exe
4456	axplong.exe
1540	axplong.exe
1540	axplong.exe
2100	axplong.exe
2100	axplong.exe
4528	axplong.exe
4528	axplong.exe
4232	axplong.exe
4232	axplong.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3728	random.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4640	3728	random.exe	84
PID 3728 wrote to memory of 4640	3728	random.exe	84
PID 3728 wrote to memory of 4640	3728	random.exe	84

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Mzg3QjcyNjItNUVBRC00M0JELTg4QzUtMDlFRDNGRjAyQ0FDfSIgdXNlcmlkPSJ7MzYzOTMxRDQtNTJCOC00MUU3LUE2NzgtNUU0QTkzRTMwRDUyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjRBMDI0QUItOEMwMi00M0FDLTg3NzItMUNGRjlCMTU0N0IwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMTc2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NzIxMjIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ1MDc3NDAxMSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:472

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4528

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1001527001\alex11111111.exe

Filesize
266KB

MD5
f68dbc63ff6e537babdd9fbf2006c725

SHA1
0f4abf54b458c731301767eeea3ca4967d00f811

SHA256
b176de5a3399b07eeb826e379cb5845918679ba6d1e6e9990cf2bb3ec19d9956

SHA512
235632527df9a1c54e376e72d95d3f9b1e1b47614cc90b3cbe824658d62d5baec0c91c1af3b74ce358ece1efc1b3577af8c1409af53cf862fe9d00cbe3ceaaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1020132001\b4c535f822.exe

Filesize
400KB

MD5
ccf329326397c14502b97c6df7741e26

SHA1
c15b21dce202aaea2459b409715ec12edc3f4acb

SHA256
b31a20a5c5cee77a2a57c3a298237ba116ad7c0432b57b0770375779cbf8cf78

SHA512
4db86fbb5cc2fc1a0e9eebb0be7dec33df07de28b17ab7d1ec40c08478a5ee2d3dffc049f4918edb64c2886676c7b28319383739dc065a2af1bd2dbb0fa525f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
bc3b0fcb68c9a3e6ce6ee8b3b9c258f6

SHA1
edde275eb12f3e35413bf5872034ed7fe318ee68

SHA256
c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8

SHA512
7f1b24935b2e0746aa57ce2bc2208b7756556de44e759073539e434fcaa859a1be62ea554999468bba9948de54038f7ee389ff80effcd2ba4e2d238cc86e4d83

Download Submit
memory/1540-95-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/1540-96-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/2100-121-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/3728-5-0x00000000003E0000-0x000000000089F000-memory.dmp

Filesize
4.7MB

Download
memory/3728-9-0x00000000003E0000-0x000000000089F000-memory.dmp

Filesize
4.7MB

Download
memory/3728-0-0x00000000003E0000-0x000000000089F000-memory.dmp

Filesize
4.7MB

Download
memory/3728-3-0x00000000003E0000-0x000000000089F000-memory.dmp

Filesize
4.7MB

Download
memory/3728-2-0x00000000003E1000-0x000000000040F000-memory.dmp

Filesize
184KB

Download
memory/3728-1-0x0000000077B55000-0x0000000077B57000-memory.dmp

Filesize
8KB

Download
memory/4232-140-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4456-84-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4456-86-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4528-129-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-13-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-11-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-88-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-89-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-90-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-91-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-92-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-93-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-62-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-23-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-97-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-12-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-115-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-116-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-117-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-118-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-119-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-82-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-122-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-123-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-124-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-125-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-126-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-127-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-10-0x0000000000C21000-0x0000000000C4F000-memory.dmp

Filesize
184KB

Download
memory/4640-130-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-131-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-132-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-133-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-134-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-136-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-7-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-141-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download
memory/4640-142-0x0000000000C20000-0x00000000010DF000-memory.dmp

Filesize
4.7MB

Download