amadey | 5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a | Triage

Submit
Reports

Overview

overview

Static

static

7

dridex

windows10-1703-x64

Sharing

General

Target

5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a
Size

6.0MB
Sample

231210-vfqvfagddr
MD5

d20c169833df7d5a176530bf19e65813
SHA1

4bb46ef4c7418900e4c4137f4aaded4b3b6f30d2
SHA256

5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a
SHA512

c17f96d92fd8e8f892324c7f61c23b118fdc7fb032999e13b2c80c75859232b4754ecbae07d200a4fff326f5ee104420b89f39f74571dee6d3bf03dd19eba3f2
SSDEEP

98304:g15EKFX859DrkzOMQhlCkGYbEAFkyXuzD5+u0c8jLgRGEveTjoM9hY/C:i2Z9vk0hAKbEAFpXQ9d0PjMnveTjoGhz

Score

10^/10

amadey evasion themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a.exe

Resource

win10-20231020-en

amadey evasion themida trojan

windows10-1703-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

amadey

C2

http://185.172.128.5

Attributes

strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.5

Attributes

install_dir
4fdb51ccdc
install_file
Utsysc.exe
strings_key
11bb398ff31ee80d2c37571aecd1d36d
url_paths
/v8sjh3hs8/index.php

rc4.plain

Targets

- Target
  
  5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a
- Size
  
  6.0MB
- MD5
  
  d20c169833df7d5a176530bf19e65813
- SHA1
  
  4bb46ef4c7418900e4c4137f4aaded4b3b6f30d2
- SHA256
  
  5d3bdd91e0b184716f9c229e5bc3d6e7f0c349e1db0a570fe6032b7bd651059a
- SHA512
  
  c17f96d92fd8e8f892324c7f61c23b118fdc7fb032999e13b2c80c75859232b4754ecbae07d200a4fff326f5ee104420b89f39f74571dee6d3bf03dd19eba3f2
- SSDEEP
  
  98304:g15EKFX859DrkzOMQhlCkGYbEAFkyXuzD5+u0c8jLgRGEveTjoM9hY/C:i2Z9vk0hAKbEAFpXQ9d0PjMnveTjoGhz
Score

10^/10

amadey evasion themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasionthemidatrojan

© 2018-2024

Terms | Privacy