amadey | 43b6c8410a80960b00f3785b5123ab440862bdd4496594585c44f4b436ca7825 | Triage

Resubmissions

22-03-2024 00:30

240322-att4ssdf42 10

21-03-2024 22:25

240321-2cbdxaca43 10

Sharing

General

Target

43b6c8410a80960b00f3785b5123ab440862bdd4496594585c44f4b436ca7825
Size

1.8MB
Sample

240322-att4ssdf42
MD5

ed77409c8f8b66f81fae0754ee9d86f7
SHA1

d2500b7585bed8dd179e84f73644a5b2afd8c8e1
SHA256

43b6c8410a80960b00f3785b5123ab440862bdd4496594585c44f4b436ca7825
SHA512

1208c9dbc61325d2110ba9057ed1a0b4f94103d82fe172a5f40614c3a8d5621f8e04b73784bb70965acd6e38e9fb604e29f52cb8f04f66e5923cd4a06cc9fe92
SSDEEP

24576:GqS02nN1gZ5woLL7hI+b31tDiiMBp9fHfyk21adtXUzXZKktlrfCNK20x2+MI9pN:Wg5wABzD1gf6FIdtXUNDfCN10lV

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.12

C2

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Targets

- Target
  
  43b6c8410a80960b00f3785b5123ab440862bdd4496594585c44f4b436ca7825
- Size
  
  1.8MB
- MD5
  
  ed77409c8f8b66f81fae0754ee9d86f7
- SHA1
  
  d2500b7585bed8dd179e84f73644a5b2afd8c8e1
- SHA256
  
  43b6c8410a80960b00f3785b5123ab440862bdd4496594585c44f4b436ca7825
- SHA512
  
  1208c9dbc61325d2110ba9057ed1a0b4f94103d82fe172a5f40614c3a8d5621f8e04b73784bb70965acd6e38e9fb604e29f52cb8f04f66e5923cd4a06cc9fe92
- SSDEEP
  
  24576:GqS02nN1gZ5woLL7hI+b31tDiiMBp9fHfyk21adtXUzXZKktlrfCNK20x2+MI9pN:Wg5wABzD1gf6FIdtXUNDfCN10lV
Score

10^/10

amadey evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasiontrojan

behavioral2

amadeyevasiontrojan