General

  • Target

    58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

  • Size

    2MB

  • Sample

    231204-xvl6xaef55

  • MD5

    1d32535deb1c523d0be798ff37593efa

  • SHA1

    af8d446c2b97ee254b06924423b17cd95e8c0d27

  • SHA256

    58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

  • SHA512

    3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085

  • SSDEEP

    49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Targets

    • Target

      58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

    • Size

      2MB

    • MD5

      1d32535deb1c523d0be798ff37593efa

    • SHA1

      af8d446c2b97ee254b06924423b17cd95e8c0d27

    • SHA256

      58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1

    • SHA512

      3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085

    • SSDEEP

      49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Tasks