amadey

General

Target

53d538cde61bf707077dd3d2cc152d94531eb704f12e1c0e7eb70bd0f8ef4057
Size

6.1MB
Sample

231210-j1z33acffj
MD5

65f1271aaa619686af548094f0909871
SHA1

b90b39e4ead147a91b62aee376900c3b15f6ae45
SHA256

53d538cde61bf707077dd3d2cc152d94531eb704f12e1c0e7eb70bd0f8ef4057
SHA512

c23eb12b735104516c1e440810915930bec1d1defb79ae29b2db5bf6ef3d1c8f18a5a41cffebde3ec6e2ba856989c334c47c1f25457203471ce5ac662e0bef10
SSDEEP

98304:jyIq98BE2YOseQasRCRasGE3YMpktQRxBjvX2DZ4I/7HI4VpnzghDiK6/hXKz8fj:mYt+CbY1t4nyDZHJcDin/hG8r

Score

10^/10

Malware Config

Extracted

Family

amadey

C2

http://185.172.128.5

Attributes

strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.5

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Targets

- Target
  
  53d538cde61bf707077dd3d2cc152d94531eb704f12e1c0e7eb70bd0f8ef4057
- Size
  
  6.1MB
- MD5
  
  65f1271aaa619686af548094f0909871
- SHA1
  
  b90b39e4ead147a91b62aee376900c3b15f6ae45
- SHA256
  
  53d538cde61bf707077dd3d2cc152d94531eb704f12e1c0e7eb70bd0f8ef4057
- SHA512
  
  c23eb12b735104516c1e440810915930bec1d1defb79ae29b2db5bf6ef3d1c8f18a5a41cffebde3ec6e2ba856989c334c47c1f25457203471ce5ac662e0bef10
- SSDEEP
  
  98304:jyIq98BE2YOseQasRCRasGE3YMpktQRxBjvX2DZ4I/7HI4VpnzghDiK6/hXKz8fj:mYt+CbY1t4nyDZHJcDin/hG8r
Score

10^/10

amadey evasion spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1