amadey | 58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1 | Triage

Submit
Reports

Overview

overview

Static

static

7

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

2.2MB
Sample

231204-sa8rysbg6y
MD5

1d32535deb1c523d0be798ff37593efa
SHA1

af8d446c2b97ee254b06924423b17cd95e8c0d27
SHA256

58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
SHA512

3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
SSDEEP

49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb

Score

10^/10

amadey evasion themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20231201-en

amadey evasion themida trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20231127-en

amadey evasion themida trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
a70b05054314f381be1ab9a5cdc8b250
url_paths
/u6vhSc3PPq/index.php

rc4.plain

Targets

- Target
  
  tmp
- Size
  
  2.2MB
- MD5
  
  1d32535deb1c523d0be798ff37593efa
- SHA1
  
  af8d446c2b97ee254b06924423b17cd95e8c0d27
- SHA256
  
  58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
- SHA512
  
  3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
- SSDEEP
  
  49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb
Score

10^/10

amadey evasion themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasionthemidatrojan

behavioral2

amadeyevasionthemidatrojan

© 2018-2024

Terms | Privacy