General
-
Target
a30c6660c036b492c4ee80b3cf305e972141f621cff9f58aeb880cf652d84e99
-
Size
1.8MB
-
Sample
240322-hbqbwsbg3x
-
MD5
d8bcd072e4229035253b3252c0def657
-
SHA1
fc7bf50d9d709a4a08d167ca879d20e08ad458cd
-
SHA256
a30c6660c036b492c4ee80b3cf305e972141f621cff9f58aeb880cf652d84e99
-
SHA512
0a60ca9532a2b4c2a751a0e26552503428e7b75addcedcca886cc05602542b2f8ef05a3b73390ced707ea487fb746fe3bb71c1fdc7e45290efa51ecc8fbb1f6a
-
SSDEEP
49152:nlGSuMnsskUQeBljIsFLWH39Wl8LY3ID:l6MnjQeBqnH08Y3U
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Targets
-
-
Target
a30c6660c036b492c4ee80b3cf305e972141f621cff9f58aeb880cf652d84e99
-
Size
1.8MB
-
MD5
d8bcd072e4229035253b3252c0def657
-
SHA1
fc7bf50d9d709a4a08d167ca879d20e08ad458cd
-
SHA256
a30c6660c036b492c4ee80b3cf305e972141f621cff9f58aeb880cf652d84e99
-
SHA512
0a60ca9532a2b4c2a751a0e26552503428e7b75addcedcca886cc05602542b2f8ef05a3b73390ced707ea487fb746fe3bb71c1fdc7e45290efa51ecc8fbb1f6a
-
SSDEEP
49152:nlGSuMnsskUQeBljIsFLWH39Wl8LY3ID:l6MnjQeBqnH08Y3U
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-