Malware Analysis Report

2025-04-03 09:13

Sample ID 250228-jgr84swkx5
Target 66336092dce79c1abbe03207cd634a23.exe
SHA256 4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5
Tags
amadey a4d2cd defense_evasion discovery trojan systembc
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5

Threat Level: Known bad

The file 66336092dce79c1abbe03207cd634a23.exe was found to be: Known bad.

Malicious Activity Summary

amadey a4d2cd defense_evasion discovery trojan systembc

Amadey family

SystemBC

Amadey

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-28 07:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-28 07:38

Reported

2025-02-28 07:41

Platform

win7-20241010-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

Network

N/A

Files

memory/3032-0-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/3032-1-0x0000000077D20000-0x0000000077D22000-memory.dmp

memory/3032-2-0x00000000008C1000-0x00000000008EF000-memory.dmp

memory/3032-3-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/3032-5-0x00000000008C0000-0x0000000000D75000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 66336092dce79c1abbe03207cd634a23
SHA1 f851be99396b0c10c1a74a95d6b08f51bf0f3e79
SHA256 4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5
SHA512 0b23966098735dd1361b277bf93fa9f760d14d09361e1cb3baef6a72c2b6db6d20a9a5312414e1c9af75840628114aa37325e6e0919617edf03ea75a8219738a

memory/3032-17-0x0000000006680000-0x0000000006B35000-memory.dmp

memory/3032-19-0x00000000008C0000-0x0000000000D75000-memory.dmp

memory/2896-20-0x0000000000C10000-0x00000000010C5000-memory.dmp

memory/2896-21-0x0000000000C11000-0x0000000000C3F000-memory.dmp

memory/2896-22-0x0000000000C10000-0x00000000010C5000-memory.dmp

memory/2896-23-0x0000000000C10000-0x00000000010C5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-28 07:38

Reported

2025-02-28 07:41

Platform

win10v2004-20250217-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\kbci\nroqmj.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\kbci\nroqmj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\kbci\nroqmj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\ProgramData\kbci\nroqmj.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\kbci\nroqmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe

"C:\Users\Admin\AppData\Local\Temp\66336092dce79c1abbe03207cd634a23.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

"C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\kbci\nroqmj.exe

C:\ProgramData\kbci\nroqmj.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:4927 towerbingobongoboom.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp

Files

memory/1880-0-0x0000000000FA0000-0x0000000001455000-memory.dmp

memory/1880-1-0x0000000077604000-0x0000000077606000-memory.dmp

memory/1880-2-0x0000000000FA1000-0x0000000000FCF000-memory.dmp

memory/1880-3-0x0000000000FA0000-0x0000000001455000-memory.dmp

memory/1880-4-0x0000000000FA0000-0x0000000001455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 66336092dce79c1abbe03207cd634a23
SHA1 f851be99396b0c10c1a74a95d6b08f51bf0f3e79
SHA256 4a14e6edf594c4e16b3122c580a1f4dbcf79d90a0ec0e43a3f1c41a1a70a44e5
SHA512 0b23966098735dd1361b277bf93fa9f760d14d09361e1cb3baef6a72c2b6db6d20a9a5312414e1c9af75840628114aa37325e6e0919617edf03ea75a8219738a

memory/2120-16-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/1880-18-0x0000000000FA0000-0x0000000001455000-memory.dmp

memory/2120-19-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/2120-20-0x0000000000B00000-0x0000000000FB5000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000410100\hypperdrive.exe

MD5 54995f5af32ec74fbc70acc9edaa9fd3
SHA1 8f8e7306b0f1017f9aaa317045a988502855d2a8
SHA256 da0a971e9d9a0afdcbe0f59c98a8c932cf4b380fb4038c7ede297951189d34c6
SHA512 c25743be84a638410815fade935f03fbb1871c4a7526786591d7519fe4818e758c1e4328e43fa727d52c45572c327123cdc2bf17299b57f7b9c511a4179059e5

memory/1940-35-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-36-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/1940-40-0x0000000004930000-0x0000000004931000-memory.dmp

memory/1940-39-0x0000000004920000-0x0000000004921000-memory.dmp

memory/1940-38-0x0000000004940000-0x0000000004941000-memory.dmp

memory/1940-43-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-41-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2120-44-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/5016-46-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-49-0x0000000000400000-0x0000000000849000-memory.dmp

memory/5016-51-0x0000000000B00000-0x0000000000FB5000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 9c9df84e456948bd38cc0592e7f25247
SHA1 d972858c7d2ab4d9d7b623228205a5065e7864ab
SHA256 019fd0040ccc60454cb0103d874158d3ca324632ddc8481f30e2530e988e20e2
SHA512 f503e694c672dc51504eb6650e03c30c7edc1b11ce99bd2f3a0a705a216031a64c40df7fe910d613d9c0cd69242f52b969a0c4af227a45e244d9268f2493eadf

memory/1940-53-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-54-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-55-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-56-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-58-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3100-57-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-59-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-60-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-61-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-62-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-63-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-64-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-65-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-66-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-67-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-68-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-69-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-70-0x0000000000400000-0x0000000000849000-memory.dmp

memory/1940-71-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2416-73-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/2416-74-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/2120-75-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-76-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-77-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-78-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-79-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-80-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-81-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-82-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-83-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-84-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-85-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-86-0x0000000000400000-0x0000000000849000-memory.dmp

memory/3664-88-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/2120-89-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-90-0x0000000000400000-0x0000000000849000-memory.dmp

memory/2120-91-0x0000000000B00000-0x0000000000FB5000-memory.dmp

memory/3100-92-0x0000000000400000-0x0000000000849000-memory.dmp