Overview

overview

10

Static

static

10

3BAF8F1B95...6E.exe

windows7-x64

10

3BAF8F1B95...6E.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3BAF8F1B9532A7ACEDBE8D5EC0922E47B232718542C6E.exe

  • Size

    3.7MB

  • Sample

    221127-3pesjacg2s

  • MD5

    31f3dee65723f26fc727d2b640b53733

  • SHA1

    ca2676ebf7026b3bd4bc23d513811c382d67b5fc

  • SHA256

    3baf8f1b9532a7acedbe8d5ec0922e47b232718542c6e45d9328dffeafe3d7de

  • SHA512

    968b31a35ce4a7ddad7884db7db3426089ff21ce0da8f755e6ce1f9cf4172bab488e9155aa483d370cec190c8539cdec8ed1a3a1b32bf5d0edfaacbd7bba04b0

  • SSDEEP

    98304:zlyRnSo1TPftn7kdXWXskxmK1STB0H6AitRGqG:KnSoRNn7cmjwBoditRGqG

Score
10/10
amadeyevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.01

C2

bebraboysclub.hk/g8lvleE2z/index.php

Targets

    • Target

      3BAF8F1B9532A7ACEDBE8D5EC0922E47B232718542C6E.exe

    • Size

      3.7MB

    • MD5

      31f3dee65723f26fc727d2b640b53733

    • SHA1

      ca2676ebf7026b3bd4bc23d513811c382d67b5fc

    • SHA256

      3baf8f1b9532a7acedbe8d5ec0922e47b232718542c6e45d9328dffeafe3d7de

    • SHA512

      968b31a35ce4a7ddad7884db7db3426089ff21ce0da8f755e6ce1f9cf4172bab488e9155aa483d370cec190c8539cdec8ed1a3a1b32bf5d0edfaacbd7bba04b0

    • SSDEEP

      98304:zlyRnSo1TPftn7kdXWXskxmK1STB0H6AitRGqG:KnSoRNn7cmjwBoditRGqG

    Score
    10/10
    amadeyevasionthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks