amadey | 07a57e3b4dedb68cd543937c8f3c1074898c1ef7ebdef2500ed2e21e90adc876 | Triage

Submit
Reports

Overview

overview

Static

static

7

394168b2f2...18.exe

windows7-x64

394168b2f2...18.exe

windows10-2004-x64

Sharing

General

Target

394168b2f2cb33908bcb50ce185fef5a_JaffaCakes118
Size

4.3MB
Sample

240330-lkyamscf3s
MD5

394168b2f2cb33908bcb50ce185fef5a
SHA1

f89b384d59cdca8b2ab4463686b488c4be95ade7
SHA256

07a57e3b4dedb68cd543937c8f3c1074898c1ef7ebdef2500ed2e21e90adc876
SHA512

2fef618e41c30d18b79a07bd23817b898ff7fad415d51faa5d6e58cd2e6f3cb8abb431eebf913696ba3aebe3e893c3b1bce98942a5cb5b513da743d5c21e5e86
SSDEEP

98304:Ci/oJUas6k1aTsRzK/1zVJMo+HhfgomwZMvQmQJquCuQGDJlrEQANECdK:CP+aZ/qfgSZxmEqruQoL1hCdK

Score

10^/10

amadey trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

394168b2f2cb33908bcb50ce185fef5a_JaffaCakes118.exe

Resource

win7-20240221-en

amadey trojan vmprotect

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

394168b2f2cb33908bcb50ce185fef5a_JaffaCakes118.exe

Resource

win10v2004-20240226-en

amadey trojan vmprotect

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

2.70

C2

http://185.215.113.45

Attributes

install_dir
603c0340b4
install_file
sqtvvs.exe
strings_key
9650ed9ffa8aab4a3a2645a9aad090b0
url_paths
/g4MbvE/index.php

rc4.plain

Targets

- Target
  
  394168b2f2cb33908bcb50ce185fef5a_JaffaCakes118
- Size
  
  4.3MB
- MD5
  
  394168b2f2cb33908bcb50ce185fef5a
- SHA1
  
  f89b384d59cdca8b2ab4463686b488c4be95ade7
- SHA256
  
  07a57e3b4dedb68cd543937c8f3c1074898c1ef7ebdef2500ed2e21e90adc876
- SHA512
  
  2fef618e41c30d18b79a07bd23817b898ff7fad415d51faa5d6e58cd2e6f3cb8abb431eebf913696ba3aebe3e893c3b1bce98942a5cb5b513da743d5c21e5e86
- SSDEEP
  
  98304:Ci/oJUas6k1aTsRzK/1zVJMo+HhfgomwZMvQmQJquCuQGDJlrEQANECdK:CP+aZ/qfgSZxmEqruQoL1hCdK
Score

10^/10

amadey trojan vmprotect
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeytrojanvmprotect

behavioral2

amadeytrojanvmprotect

© 2018-2024

Terms | Privacy