Overview

overview

10

Static

static

sBBw37vduNn9dfiK.ps1

windows7-x64

8

sBBw37vduNn9dfiK.ps1

windows10-2004-x64

10

Resubmissions

29-11-2022 06:20

221129-g36yaadb63 10

29-11-2022 06:06

221129-gtrr1acc68 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sBBw37vduNn9dfiK.ps1

  • Size

    51KB

  • Sample

    221129-g36yaadb63

  • MD5

    5b2458844f93996d9756f9078291dda9

  • SHA1

    c981f4fceb59827950b4111a4976b7d0dd53667a

  • SHA256

    61528ae70c919687208659f7270d06dfb12f0bb5baccbc49fead7e9ab1a876f8

  • SHA512

    bc51b6a5f81a7dcef185df10168c63a7b88d6f28e3340059cbae10b2579eedaa2a65e75a656e6ae23225d963bdc16225f27bf5907b3bbb44942f3bc0eb073bf2

  • SSDEEP

    96:3I/dd1LUiNtmtlwxWotbYG97JbAIX480I4ghn4rezXQCCgZavZFkMs3LtVT9ck3x:3fO9

Score
10/10
amadeycollectionevasionspywarestealerthemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1ogbCiwBaVXPjDHhV0GcZx3l_HoU1dbid

Extracted

Family

amadey

Version

3.50

C2

77.73.134.68/hfk3vK9/index.php

Targets

    • Target

      sBBw37vduNn9dfiK.ps1

    • Size

      51KB

    • MD5

      5b2458844f93996d9756f9078291dda9

    • SHA1

      c981f4fceb59827950b4111a4976b7d0dd53667a

    • SHA256

      61528ae70c919687208659f7270d06dfb12f0bb5baccbc49fead7e9ab1a876f8

    • SHA512

      bc51b6a5f81a7dcef185df10168c63a7b88d6f28e3340059cbae10b2579eedaa2a65e75a656e6ae23225d963bdc16225f27bf5907b3bbb44942f3bc0eb073bf2

    • SSDEEP

      96:3I/dd1LUiNtmtlwxWotbYG97JbAIX480I4ghn4rezXQCCgZavZFkMs3LtVT9ck3x:3fO9

    Score
    10/10
    amadeycollectionevasionspywarestealerthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Detect Amadey credential stealer module

    • UAC bypass

      evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks