Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    81ed47a991b51ac416d56e87a29a9e1e.bin

  • Size

    4.4MB

  • Sample

    231229-cdpv9acaar

  • MD5

    6cf93d12833263026396667784477cfa

  • SHA1

    07b26ae6d7a5c561032fdcca3c866bd0ba27191a

  • SHA256

    decbcf05edc76dd31fbf2e2eefb16305e4086c0b0d8df47e5d4631433e9387f5

  • SHA512

    c47362537a0bbe60a4cab74a0fb6c5d8bb293551732cbb3bddd946521d3ba7be26f96a93422b1d1804bf8c73ee1db16de2b5f1ca0329ee6eb084db27e7e5a382

  • SSDEEP

    98304:NmlyqrxFJuNxjBjEZlG+oPclRdJDSTUSwn3IMIlE8DwbF0X5:NqYTyycl4TUSwn3IMDY5

Malware Config

Extracted

Family

amadey

Version

4.13

C2

http://185.172.128.5

Attributes
  • install_dir

    4fdb51ccdc

  • install_file

    Utsysc.exe

  • strings_key

    11bb398ff31ee80d2c37571aecd1d36d

  • url_paths

    /v8sjh3hs8/index.php

rc4.plain

Targets

    • Target

      ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29.exe

    • Size

      4.4MB

    • MD5

      81ed47a991b51ac416d56e87a29a9e1e

    • SHA1

      0532b1052beed07bb9243e819b4dd5c3343120eb

    • SHA256

      ead72d1eb42fc44e002ff76e006620db8308a34c3dd728df0fc26905b149ae29

    • SHA512

      1ee538bf29b583d591539f6352c1dfa3cd8b5d445384af73f8745e0dc98fc15cd0e886e9d4c3b9c6cb09f554bff77bc7ef58596f84c851303e619902eb4aea62

    • SSDEEP

      98304:Weekh63DHMYli6N3ZngCekllw5HON7IZGwTT5MCMBwxQf+0b:Weu3DHJ9RplwxOqEA5MdWxQd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks