General
-
Target
d7cb7c7c585d51d0b3039d60dc0d1cadb115d594aa8952dca2f4dc17d17bdc84
-
Size
1.8MB
-
Sample
240403-g87rrsab5w
-
MD5
81f4dca0d86cbe3b20f6f6240669c746
-
SHA1
3f96b61f96f9a20666927db7717e768be93f3c91
-
SHA256
d7cb7c7c585d51d0b3039d60dc0d1cadb115d594aa8952dca2f4dc17d17bdc84
-
SHA512
768389ead7cd252c55a954b279265eb2c6dc6c08f5d21239ea7f3e550d7d775f939e2ecca5b71a71de183ea366ff04f5c6f992157a9303a76b6374015e604ea0
-
SSDEEP
49152:sIJozSw3EwUDxhm7uRHRU5to5mMzGHFpM:sIJozBUwUVRxyAmH
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Targets
-
-
Target
d7cb7c7c585d51d0b3039d60dc0d1cadb115d594aa8952dca2f4dc17d17bdc84
-
Size
1.8MB
-
MD5
81f4dca0d86cbe3b20f6f6240669c746
-
SHA1
3f96b61f96f9a20666927db7717e768be93f3c91
-
SHA256
d7cb7c7c585d51d0b3039d60dc0d1cadb115d594aa8952dca2f4dc17d17bdc84
-
SHA512
768389ead7cd252c55a954b279265eb2c6dc6c08f5d21239ea7f3e550d7d775f939e2ecca5b71a71de183ea366ff04f5c6f992157a9303a76b6374015e604ea0
-
SSDEEP
49152:sIJozSw3EwUDxhm7uRHRU5to5mMzGHFpM:sIJozBUwUVRxyAmH
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-