General

  • Target

    3de42e8dcad7071ee556ce2ac67ec15f829ee2aa25b93afdedbf4fe9ec56b90b

  • Size

    2MB

  • Sample

    231207-k11j9sgg87

  • MD5

    df6a107318dc367387a3dfa488ac33d1

  • SHA1

    01047cdd570753ec8e66f2103e672cf05791fbdf

  • SHA256

    85c07ff26092a615e59d53e4a8ebe1833aa68c77065d806d3a5c53a1dd084d2c

  • SHA512

    ae275bb4b3e29eb120ff2c344eaadc41560282f81cfb6bd544d7fa8cf933ac5767c96ef0a5aca8dca54d93525f97fdb473dbd850a3d836d528db97f0a28ed115

  • SSDEEP

    49152:qBv1bwol/V7wiDAai1Yc882p3PqcZO8bTzJhmpd69cR/Zy:qTbwiDni1Yc88eNR3zc+cRs

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.125

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    a70b05054314f381be1ab9a5cdc8b250

  • url_paths

    /u6vhSc3PPq/index.php

rc4.plain

Targets

    • Target

      3de42e8dcad7071ee556ce2ac67ec15f829ee2aa25b93afdedbf4fe9ec56b90b

    • Size

      3MB

    • MD5

      1f912c12896eb6942bd3f067d47b9250

    • SHA1

      8925008534a6149eaf6c47182cb7e1d89ed59471

    • SHA256

      3de42e8dcad7071ee556ce2ac67ec15f829ee2aa25b93afdedbf4fe9ec56b90b

    • SHA512

      682cd0638af81715232d6bc8fd7b1378d97d99595ef396d536f2b605e12d7ab162b50acfc09c94f039114e7307d8076f7cc5098a149e98e35b40f4dbeaffb5ce

    • SSDEEP

      49152:galdj8F1suOpRK+QjdtI1c7zwosyw91G9R/Ma8pM3h/4tTdS/r:gsdIsuOpRK+QxQy+G9k+/4tTar

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Tasks