Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2025 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    1.8MB

  • MD5

    bc3b0fcb68c9a3e6ce6ee8b3b9c258f6

  • SHA1

    edde275eb12f3e35413bf5872034ed7fe318ee68

  • SHA256

    c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8

  • SHA512

    7f1b24935b2e0746aa57ce2bc2208b7756556de44e759073539e434fcaa859a1be62ea554999468bba9948de54038f7ee389ff80effcd2ba4e2d238cc86e4d83

  • SSDEEP

    49152:y3OcrT0HpwEszQyM6w1muKtmMSb65a2wz3pcM:K4GJzbM6qmuKtjSb65ybV

Score
10/10
amadeyfed3aadefense_evasiondiscoverytrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    defense_evasion
  • Downloads MZ/PE file 1 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1956
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4376
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEE1MTQxNEEtOTJDNi00Njc1LUI4RTMtRTZDRkM4NkI3QjdFfSIgdXNlcmlkPSJ7RENERjlBNjItOTNCQi00ODFGLThCMjItOURBOENERUQ4NTA1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDM5NzgwOTAtRDREMC00Q0VFLTlGRjMtRDQ4RTk2MEYyNzYxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzU1NjgzNDAwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4976
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1015307001\goldik12321.exe
    Filesize

    266KB

    MD5

    857382699ef0a97dfb6a44c7511d23e4

    SHA1

    7c974532efd0b4aec848b1077df5d54ba75848c6

    SHA256

    29bd2fe47853c137d5272b34fce0224172cf0c5773345a93a8e0b700e1b428d3

    SHA512

    051e6865c86d52bcd8a321a593cde672dfa571dbc373268f3525e533acfaaa09beef7f725231f114db95860338cf62ef2331c33e1f8ad0aeeac6458435caa706

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    Filesize

    1.8MB

    MD5

    bc3b0fcb68c9a3e6ce6ee8b3b9c258f6

    SHA1

    edde275eb12f3e35413bf5872034ed7fe318ee68

    SHA256

    c4de054a99bee0ddfb0969f6e7a371ab4c0cdf3fb5e6e712d657eb58f5e916d8

    SHA512

    7f1b24935b2e0746aa57ce2bc2208b7756556de44e759073539e434fcaa859a1be62ea554999468bba9948de54038f7ee389ff80effcd2ba4e2d238cc86e4d83

    Download Submit

  • memory/228-89-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/952-0-0x0000000000F30000-0x00000000013EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/952-1-0x00000000770E4000-0x00000000770E6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/952-2-0x0000000000F31000-0x0000000000F5F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/952-3-0x0000000000F30000-0x00000000013EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/952-4-0x0000000000F30000-0x00000000013EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/952-17-0x0000000000F30000-0x00000000013EF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-33-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-85-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-22-0x0000000005280000-0x0000000005281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-21-0x0000000005240000-0x0000000005241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-20-0x0000000005260000-0x0000000005261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-19-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-27-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-26-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-28-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-29-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-32-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-24-0x0000000005230000-0x0000000005231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-43-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-44-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-94-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-93-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-92-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-91-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-51-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-25-0x0000000000621000-0x000000000064F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1956-67-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-84-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-23-0x0000000005220000-0x0000000005221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-86-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-87-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-18-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1956-90-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4376-50-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4376-48-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4376-47-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4376-46-0x0000000000620000-0x0000000000ADF000-memory.dmp

    Filesize

    4.7MB

    Download