General
-
Target
cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53
-
Size
1.8MB
-
Sample
240327-thm1wsff24
-
MD5
25a84242d258a18a96fe6368ec43c068
-
SHA1
02fd34ce3f48e6cee06d98bbfe7788a9a5074625
-
SHA256
cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53
-
SHA512
cf29554dbf5a824a5d08d7e323331f794942361a5988c0c209fdc517fbc3369c79d29d18f13b8e9497673721c46ae510bcdc2e2f1e6bf78d1141d7887f37e545
-
SSDEEP
49152:p3yyzw2ng66Y1WyY1uJtd+hNeSjNKpnoR+h5COq:NjbvDJieSjNynXh5C
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Targets
-
-
Target
cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53
-
Size
1.8MB
-
MD5
25a84242d258a18a96fe6368ec43c068
-
SHA1
02fd34ce3f48e6cee06d98bbfe7788a9a5074625
-
SHA256
cf23a8b33580384114e72d04958f8b7ea50bfddb2ceb12dd562152fbac0e5f53
-
SHA512
cf29554dbf5a824a5d08d7e323331f794942361a5988c0c209fdc517fbc3369c79d29d18f13b8e9497673721c46ae510bcdc2e2f1e6bf78d1141d7887f37e545
-
SSDEEP
49152:p3yyzw2ng66Y1WyY1uJtd+hNeSjNKpnoR+h5COq:NjbvDJieSjNynXh5C
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-