amadey

General

Target

c1a3b050233175fb7f071326dd5e21f1652ef0ca64811143a79f71c12b88d1dd
Size

1.8MB
Sample

240426-hxcb6abd59
MD5

df5a3f5421595efbde1cc2376dc9c6ff
SHA1

bc669fce4bece6c7e6381d1458790c1dd684f6ad
SHA256

c1a3b050233175fb7f071326dd5e21f1652ef0ca64811143a79f71c12b88d1dd
SHA512

62535268f26a691f258f4eede5c64d031bf28482755ed9a5f89345f10e323946d2b1942ab4bf16bb0d0a82daeab6074341798759e5eb18314b3d56f16f9781e4
SSDEEP

49152:jZq4v2nU82uBaVB8rf95FAI5l2CI6FZl0mYNl3s:jZqa2nJrs8r1YIz2CdvlVYz

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.17

C2

http://193.233.132.167

Attributes

install_dir
4d0ab15804
install_file
chrosha.exe
strings_key
1a9519d7b465e1f4880fa09a6162d768
url_paths
/enigma/index.php

rc4.plain

Extracted

Family

asyncrat

Version

| Controller

Botnet

Default

C2

45.138.16.138:4449

Mutex

aanqnmyihhbbckuo

Attributes

delay
1
install
true
install_file
winrar.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  c1a3b050233175fb7f071326dd5e21f1652ef0ca64811143a79f71c12b88d1dd
- Size
  
  1.8MB
- MD5
  
  df5a3f5421595efbde1cc2376dc9c6ff
- SHA1
  
  bc669fce4bece6c7e6381d1458790c1dd684f6ad
- SHA256
  
  c1a3b050233175fb7f071326dd5e21f1652ef0ca64811143a79f71c12b88d1dd
- SHA512
  
  62535268f26a691f258f4eede5c64d031bf28482755ed9a5f89345f10e323946d2b1942ab4bf16bb0d0a82daeab6074341798759e5eb18314b3d56f16f9781e4
- SSDEEP
  
  49152:jZq4v2nU82uBaVB8rf95FAI5l2CI6FZl0mYNl3s:jZqa2nJrs8r1YIz2CdvlVYz
Score

10^/10

amadey asyncrat default evasion rat spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2