amadey | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

General

Target

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Size

452KB
MD5

a9749ee52eefb0fd48a66527095354bb
SHA1

78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512

9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25
SSDEEP

12288:Rib1rFTRH6serb/p93j6fGMWP1N72h8xp:IH659m+Mk1YW

Score

10^/10

amadey systembc a4d2cd defense_evasion discovery trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
427d5xz71123

Extracted

Credentials

Protocol: smtp
Host:
mail.daynahoffman.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
michelle

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�� jlgenfekjlfnvtgpegkwr.xyz

Attributes

install_dir
a58456755d
install_file
Gxtuum.exe
strings_key
00fadbeacf092dfd58b48ef4ac68f826
url_paths
/3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	effectson.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cmqvdmk.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	2528	Gxtuum.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmqvdmk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	effectson.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	effectson.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmqvdmk.exe

Executes dropped EXE 3 IoCs

pid	Process
2528	Gxtuum.exe
2796	effectson.exe
1464	cmqvdmk.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	effectson.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	cmqvdmk.exe

Loads dropped DLL 3 IoCs

pid	Process
2504	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
2528	Gxtuum.exe
2528	Gxtuum.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2796	effectson.exe
1464	cmqvdmk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
File created	C:\Windows\Tasks\Test Task17.job	effectson.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmqvdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	effectson.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2796	effectson.exe
1464	cmqvdmk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2504	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2528	2504	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	30
PID 2504 wrote to memory of 2528	2504	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	30
PID 2504 wrote to memory of 2528	2504	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	30
PID 2504 wrote to memory of 2528	2504	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	30
PID 2528 wrote to memory of 2796	2528	Gxtuum.exe	33
PID 2528 wrote to memory of 2796	2528	Gxtuum.exe	33
PID 2528 wrote to memory of 2796	2528	Gxtuum.exe	33
PID 2528 wrote to memory of 2796	2528	Gxtuum.exe	33
PID 2424 wrote to memory of 1464	2424	taskeng.exe	35
PID 2424 wrote to memory of 1464	2424	taskeng.exe	35
PID 2424 wrote to memory of 1464	2424	taskeng.exe	35
PID 2424 wrote to memory of 1464	2424	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Roaming\10000790100\effectson.exe
    "C:\Users\Admin\AppData\Roaming\10000790100\effectson.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {C59C652C-5F70-4C93-83AC-F203D04B0A64} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\ProgramData\vfopijm\cmqvdmk.exe
  C:\ProgramData\vfopijm\cmqvdmk.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Roaming\10000790100\effectson.exe

Filesize
1.7MB

MD5
3b4723591e7a82dc45cdd60b2162eee2

SHA1
9618f544c79dbae11634fc14bd472b3cb5eb046d

SHA256
1582d61232dff45c014769e9be4fb06f839ee3e462189dbbf28ca0380a6fa410

SHA512
1559f42a1dbdf1f78f971415f3252a1127ebd2f3490a374a13670fc366b54f50c58bac8234d30a43b3345fbecdf49f65b69500675887c81fa45bc06311917380

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
224B

MD5
99825d090478e290041a5ca381d9c6c0

SHA1
2b5a8b844ae3a88232c3a4955a4a91a062e1a2fd

SHA256
a0d9b92f4bb601c1be201f656b179cfcb16d84341b90d95b42eea1e071479108

SHA512
5911da75e7e25f7717e5f8d7349735a19d74d38de27a1f4520bc65513a7e0b5223f5c0fecb3c82ea1c2c774c352638e7150b0ab71b6e507ef8ecc17ed342633f

Download Submit
memory/1464-55-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-48-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-57-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-56-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-46-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-45-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-54-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-53-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-52-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-51-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-58-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1464-42-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2504-1-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2528-26-0x00000000047B0000-0x0000000004BF0000-memory.dmp

Filesize
4.2MB

Download
memory/2796-32-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-44-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-47-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-39-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-49-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-38-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-37-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-36-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-35-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-34-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2796-28-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/2796-29-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2796-27-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads