General
-
Target
3deb44decaf4c0c6bae78a603f2b4a71.exe
-
Size
1.8MB
-
Sample
240322-jfvb3scb4v
-
MD5
3deb44decaf4c0c6bae78a603f2b4a71
-
SHA1
b9ee88f8b78e5d392b48b6a911d5529308173568
-
SHA256
0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b
-
SHA512
eb4b9ab5423e818cedcbbc8b731948b5075df5768b57503b423cd49f10514b218c624feb66ba98ad57a624e00cf16fd04b73162e89cae5d7a5dbe8339f9c778b
-
SSDEEP
49152:un5E5pxdMwL/kxgLj/jPRdFRrRUvpVuvAexy0C:eE5pM8sxgCBVmAexy0C
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Targets
-
-
Target
3deb44decaf4c0c6bae78a603f2b4a71.exe
-
Size
1.8MB
-
MD5
3deb44decaf4c0c6bae78a603f2b4a71
-
SHA1
b9ee88f8b78e5d392b48b6a911d5529308173568
-
SHA256
0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b
-
SHA512
eb4b9ab5423e818cedcbbc8b731948b5075df5768b57503b423cd49f10514b218c624feb66ba98ad57a624e00cf16fd04b73162e89cae5d7a5dbe8339f9c778b
-
SSDEEP
49152:un5E5pxdMwL/kxgLj/jPRdFRrRUvpVuvAexy0C:eE5pM8sxgCBVmAexy0C
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-