amadey | cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073 | Triage

Submit
Reports

Overview

overview

Static

static

7

cdeeb0f1b8...73.exe

windows7_x64

cdeeb0f1b8...73.exe

windows10-2004_x64

Sharing

General

Target

cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073
Size

2.5MB
Sample

220215-gqz9zabef8
MD5

3d01438bfca0d5786c9e473f087c4c56
SHA1

ec905150408d52283b26c1b283fbf537d9423114
SHA256

cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073
SHA512

ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6

Score

10^/10

amadey evasion themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073.exe

Resource

win7-en-20211208

amadey evasion themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073.exe

Resource

win10v2004-en-20220112

amadey evasion themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

amadey

Version

2.50

C2

depressionk1d.ug/k8FppT/index.php

Targets

- Target
  
  cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073
- Size
  
  2.5MB
- MD5
  
  3d01438bfca0d5786c9e473f087c4c56
- SHA1
  
  ec905150408d52283b26c1b283fbf537d9423114
- SHA256
  
  cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073
- SHA512
  
  ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6
Score

10^/10

amadey evasion themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeyevasionthemidatrojan

behavioral2

amadeyevasionthemidatrojan

© 2018-2024

Terms | Privacy