Overview

overview

10

Static

static

10

winprofile

windows7_x64

10

winprofile

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b5153257171efca2a7d2e98961b424ac9cc527c6cc273c8e7efefbdf7ed48212

  • Size

    3.8MB

  • Sample

    220515-16l7tsbcep

  • MD5

    45f42d0f24c52fbd7c8e4005627c3096

  • SHA1

    f74df9753a830d151cda0efc13e939043f4e510e

  • SHA256

    b5153257171efca2a7d2e98961b424ac9cc527c6cc273c8e7efefbdf7ed48212

  • SHA512

    7c71b6e1c12a057c5b865998b8bc3de29ebcd1fd9cc48f1a413015eb9f323b3941e23219075629aebe535b96626a025068cd988e089a90c98d3aed6e866c6477

Score
10/10
amadeyevasionpersistencesuricatathemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.01

C2

bebraboysclub.hk/g8lvleE2z/index.php

Targets

    • Target

      b5153257171efca2a7d2e98961b424ac9cc527c6cc273c8e7efefbdf7ed48212

    • Size

      3.8MB

    • MD5

      45f42d0f24c52fbd7c8e4005627c3096

    • SHA1

      f74df9753a830d151cda0efc13e939043f4e510e

    • SHA256

      b5153257171efca2a7d2e98961b424ac9cc527c6cc273c8e7efefbdf7ed48212

    • SHA512

      7c71b6e1c12a057c5b865998b8bc3de29ebcd1fd9cc48f1a413015eb9f323b3941e23219075629aebe535b96626a025068cd988e089a90c98d3aed6e866c6477

    Score
    10/10
    amadeyevasionpersistencesuricatathemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Modifies security service

      evasion

    • suricata: ET MALWARE Amadey CnC Check-In

      suricata: ET MALWARE Amadey CnC Check-In

      suricata

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks