General
-
Target
28d70be2fab8cb76b834e98e6ab7b49c6017e31718f91f2f22506fdac3797d99
-
Size
1.9MB
-
Sample
240427-2l7tgaae4s
-
MD5
a1306ca76587d770312e018230814a12
-
SHA1
b362f6e8531eb197ff6766383abd69fa1cfecd48
-
SHA256
28d70be2fab8cb76b834e98e6ab7b49c6017e31718f91f2f22506fdac3797d99
-
SHA512
713022eb650f4a841dae66c6827a4235fb7a45423926e9edddbdbf611050d9d98f950a26dbcfc94a0e1d502c5560d968ee018417482f54a5899394441346257e
-
SSDEEP
49152:v+IRVAUiDrfUB0tudD6bC5+gB4gLpExd2dKbo3fPNuBc:m18mu0e5+g/NeIdfuBc
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Targets
-
-
Target
28d70be2fab8cb76b834e98e6ab7b49c6017e31718f91f2f22506fdac3797d99
-
Size
1.9MB
-
MD5
a1306ca76587d770312e018230814a12
-
SHA1
b362f6e8531eb197ff6766383abd69fa1cfecd48
-
SHA256
28d70be2fab8cb76b834e98e6ab7b49c6017e31718f91f2f22506fdac3797d99
-
SHA512
713022eb650f4a841dae66c6827a4235fb7a45423926e9edddbdbf611050d9d98f950a26dbcfc94a0e1d502c5560d968ee018417482f54a5899394441346257e
-
SSDEEP
49152:v+IRVAUiDrfUB0tudD6bC5+gB4gLpExd2dKbo3fPNuBc:m18mu0e5+g/NeIdfuBc
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-