Overview

overview

10

Static

static

7

58233388d4...a1.exe

windows7-x64

10

58233388d4...a1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

  • Size

    2.2MB

  • Sample

    231204-xvl6xaef55

  • MD5

    1d32535deb1c523d0be798ff37593efa

  • SHA1

    af8d446c2b97ee254b06924423b17cd95e8c0d27

  • SHA256

    58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

  • SHA512

    3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085

  • SSDEEP

    49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb

Score
10/10
amadeyevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Targets

    • Target

      58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

    • Size

      2.2MB

    • MD5

      1d32535deb1c523d0be798ff37593efa

    • SHA1

      af8d446c2b97ee254b06924423b17cd95e8c0d27

    • SHA256

      58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

    • SHA512

      3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085

    • SSDEEP

      49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb

    Score
    10/10
    amadeyevasionthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks