amadey | c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12 | Triage

Submit
Reports

Overview

overview

Static

static

3

c81600b4e9...12.exe

windows7-x64

c81600b4e9...12.exe

windows10-2004-x64

Resubmissions

27-04-2024 17:18

240427-vvfysadg4x 10

27-04-2024 13:30

240427-qr4hfsca2v 10

Sharing

General

Target

c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
Size

1.8MB
Sample

240427-vvfysadg4x
MD5

00d2b75c4c3e234c8576a67d24849596
SHA1

d5badbb62b2adbcef7e01b3b5bd342d11c09cdb5
SHA256

c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
SHA512

0fa5377df174c92130fea3352e60a9571e6724c39fb5397a94d93d84fec3b044ad3935a1ba5ab9243a66d2b5dc02756aeb087118e6a7097b810c01da6813cd7d
SSDEEP

49152:g3/bnubds8ARZks8cBX2uYpSRFtbq9XHO:gjnu72QRGt

Score

10^/10

amadey evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe

Resource

win7-20231129-en

amadey evasion trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe

Resource

win10v2004-20240419-en

amadey evasion trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Targets

- Target
  
  c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
- Size
  
  1.8MB
- MD5
  
  00d2b75c4c3e234c8576a67d24849596
- SHA1
  
  d5badbb62b2adbcef7e01b3b5bd342d11c09cdb5
- SHA256
  
  c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
- SHA512
  
  0fa5377df174c92130fea3352e60a9571e6724c39fb5397a94d93d84fec3b044ad3935a1ba5ab9243a66d2b5dc02756aeb087118e6a7097b810c01da6813cd7d
- SSDEEP
  
  49152:g3/bnubds8ARZks8cBX2uYpSRFtbq9XHO:gjnu72QRGt
Score

10^/10

amadey evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasiontrojan

behavioral2

amadeyevasiontrojan

© 2018-2024

Terms | Privacy