Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
25/02/2025, 22:21
General
-
Target
quarantine/Q7t2AMs.exe
-
Size
1.8MB
-
MD5
e3db5749715032f09380e2b83170df85
-
SHA1
5eba9270b0a48ffda040d10e08aef49acbb4452d
-
SHA256
0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
-
SHA512
682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199
-
SSDEEP
49152:piz+b/M/T/XsCWYkr+Sah/lROSwrk9CUMeUz:piCb2/XsLrPCOd4g/x
Malware Config
Extracted
amadey
5.21
a4d2cd
http://cobolrationumelawrtewarms.com
http://�������� jlgenfekjlfnvtgpegkwr.xyz
-
install_dir
a58456755d
-
install_file
Gxtuum.exe
-
strings_key
00fadbeacf092dfd58b48ef4ac68f826
-
url_paths
/3ofn3jf3e2ljk/index.php
Extracted
systembc
towerbingobongoboom.com
93.186.202.3
-
dns
5.132.191.104
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Systembc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file 1 IoCs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 3 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe"C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3279D3F4-691F-49DA-8C18-18C8B088C80A} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\dnao\rbsmife.exeC:\ProgramData\dnao\rbsmife.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD522b7fa9d7ece61a0e0a7a0e9b130e311
SHA100329bc46fab8e69da98e11894e7249fc4b5199f
SHA2560acada86bfe4cbdc97544e147207bcee377948415acb32223fe6a69716591c8f
SHA512cbc289aaf8a12863fc5d27443daea89e90045805b110eb2a4eabbfa2afb185651355dcffcb9a8188801786e2a07aa7198d31aba8d3bc4c2f8bcfea66033260b9
-
Filesize
218B
MD5900d8ea41149a4bc1d0bc27b8178287c
SHA1583e385ffa18b2bc1247e82dce18ec48826d7237
SHA2568c761b26944c1136b004791bc0924f71976a8db069e0caf4c5aee93ad46370c7
SHA512e5296bea28e9f65dac0dda22c415b64b79b866da928cf3b074d2c44e6dded8764a8ed1909728ad01a09a09b264e16f670588fe8979093339ef501b0def195e68
-
Filesize
1.8MB
MD5e3db5749715032f09380e2b83170df85
SHA15eba9270b0a48ffda040d10e08aef49acbb4452d
SHA2560b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.3MB
-
Filesize
4.7MB
-
Filesize
4.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.3MB
-
Filesize
4.7MB
-
Filesize
4.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB