amadey

General

Target

conan.exe
Size

822KB
Sample

240406-nnapvshh69
MD5

f29bb9918f3803046c2bab24c20b458d
SHA1

c162f42333a6a7ef23ea9fc17e470daece374b6c
SHA256

b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993
SHA512

e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164
SSDEEP

24576:OYHymN8tZiUqGvCBSYcjOaTKsB5Oih4un0:OYRNyZiUqwCgYWHhn

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Targets

- Target
  
  conan.exe
- Size
  
  822KB
- MD5
  
  f29bb9918f3803046c2bab24c20b458d
- SHA1
  
  c162f42333a6a7ef23ea9fc17e470daece374b6c
- SHA256
  
  b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993
- SHA512
  
  e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164
- SSDEEP
  
  24576:OYHymN8tZiUqGvCBSYcjOaTKsB5Oih4un0:OYRNyZiUqwCgYWHhn
Score

10^/10

amadey risepro collection discovery evasion persistence spyware stealer themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2