amadey | 39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96 | Triage

Resubmissions

19-04-2024 01:20

240419-bp7d1ade6x 10

18-04-2024 22:31

240418-2fpqpshf91 10

Sharing

General

Target

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96
Size

2.9MB
Sample

240419-bp7d1ade6x
MD5

991ad8f508243cc6706d30d800cd5016
SHA1

8bde1d4bb724e947826ff19c90e5685f31eb5fef
SHA256

39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96
SHA512

e76ddd0777a17fd1d28f860301602f03b729beb067adcfded6503ee9a4f3898dc064caf3c8b80e0e803be67685667005d2a9816e1eaf40ac25584a711f5ac3a5
SSDEEP

24576:bpGE2viqfRCgCfZIXcsUbODj6tmIvZaJaTtkCqwMrcUVnF+cD4I6cG8f1WWCwFGp:TQiwCDZkpNIRdc/l4I6IWFwFI/+Wdh

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Targets

- Target
  
  39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96
- Size
  
  2.9MB
- MD5
  
  991ad8f508243cc6706d30d800cd5016
- SHA1
  
  8bde1d4bb724e947826ff19c90e5685f31eb5fef
- SHA256
  
  39fcb4bc84140884e41e12a83482eb84c8ac3515a06d658f0f6e39b153315c96
- SHA512
  
  e76ddd0777a17fd1d28f860301602f03b729beb067adcfded6503ee9a4f3898dc064caf3c8b80e0e803be67685667005d2a9816e1eaf40ac25584a711f5ac3a5
- SSDEEP
  
  24576:bpGE2viqfRCgCfZIXcsUbODj6tmIvZaJaTtkCqwMrcUVnF+cD4I6cG8f1WWCwFGp:TQiwCDZkpNIRdc/l4I6IWFwFI/+Wdh
Score

10^/10

amadey evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasiontrojan

behavioral2

amadeyevasiontrojan