amadey | 25fee0705c845d42b1b9fd2b3273808e358587d17cc9706dea565a2e68c10a52 | Triage

Resubmissions

19/04/2024, 01:19

240419-bpy3mace34 10

15/04/2024, 04:49

240415-ffv2tshd8z 10

Sharing

General

Target

25fee0705c845d42b1b9fd2b3273808e358587d17cc9706dea565a2e68c10a52
Size

2.8MB
Sample

240419-bpy3mace34
MD5

8c51fab20bcd068ceee453c05b007538
SHA1

ab51d4035ba9685d9c13f295403c5456a7cedd27
SHA256

25fee0705c845d42b1b9fd2b3273808e358587d17cc9706dea565a2e68c10a52
SHA512

9534527e8e2d31fbaee83756341792b77ae81f33ab448ead2eef7c1d341138bcb07fe00e3010f25801e21a84bad878e949e90ed63498ab14de7cf81fba76713b
SSDEEP

49152:T8Kw9EfTOhW1MLNVazcXj2FzNC8+CKR6sLZLGKA/HZLrfrwmq2B3tZ3n:wKw9qOhW16NVazQjofUE0ZLGKA/HZLrl

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Targets

- Target
  
  25fee0705c845d42b1b9fd2b3273808e358587d17cc9706dea565a2e68c10a52
- Size
  
  2.8MB
- MD5
  
  8c51fab20bcd068ceee453c05b007538
- SHA1
  
  ab51d4035ba9685d9c13f295403c5456a7cedd27
- SHA256
  
  25fee0705c845d42b1b9fd2b3273808e358587d17cc9706dea565a2e68c10a52
- SHA512
  
  9534527e8e2d31fbaee83756341792b77ae81f33ab448ead2eef7c1d341138bcb07fe00e3010f25801e21a84bad878e949e90ed63498ab14de7cf81fba76713b
- SSDEEP
  
  49152:T8Kw9EfTOhW1MLNVazcXj2FzNC8+CKR6sLZLGKA/HZLrfrwmq2B3tZ3n:wKw9qOhW16NVazQjofUE0ZLGKA/HZLrl
Score

10^/10

amadey evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasiontrojan

behavioral2

amadeyevasiontrojan