amadey

General

Target

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a
Size

1.8MB
Sample

240425-j6jchaha61
MD5

03d7ce2625f41608ae71f4fabf4d391d
SHA1

c396d4c513df5a76bcba97db966c98d378262854
SHA256

9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a
SHA512

7d97f4b996c2efa5aa92093a3b64fe3d45d61a606297b228f25f7b1a57eabf236461c35e7615dae21167fa02913c0c7a512da32070287896f6c8a1194aadd1d7
SSDEEP

49152:03/bnqxRT3In44/3gItQ7+2QRmFx5MAuac:0jnI3In42RANbjc

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Targets

- Target
  
  9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a
- Size
  
  1.8MB
- MD5
  
  03d7ce2625f41608ae71f4fabf4d391d
- SHA1
  
  c396d4c513df5a76bcba97db966c98d378262854
- SHA256
  
  9e972f0a8028ddcb1607eb68285daeed82698a75cda648ca973ca0856a9c858a
- SHA512
  
  7d97f4b996c2efa5aa92093a3b64fe3d45d61a606297b228f25f7b1a57eabf236461c35e7615dae21167fa02913c0c7a512da32070287896f6c8a1194aadd1d7
- SSDEEP
  
  49152:03/bnqxRT3In44/3gItQ7+2QRmFx5MAuac:0jnI3In42RANbjc
Score

10^/10

amadey evasion trojan risepro persistence spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2