General
-
Target
6b35cc63b0524fc38107e7f8aa418604a8f69dc5f5cfa97d50ee036ad0ed8de7
-
Size
1.8MB
-
Sample
240428-drrsfaeh24
-
MD5
c83471737e07303fced27de0fdafc21f
-
SHA1
53bab21cf01f8bec0123a12722fd7b02172f26a1
-
SHA256
6b35cc63b0524fc38107e7f8aa418604a8f69dc5f5cfa97d50ee036ad0ed8de7
-
SHA512
7a3aeb1e0b7393f079c029acf78030d61c39442e15052551e6436ab6e58962e7a47bb18d47c6e63341326749b64ddb442c809ec9b3d4cd2f7cd23a7de3fb7d57
-
SSDEEP
49152:i3/bnQhPVHnxFCILpB0PO5U/WMBjuR3OCjAc2yu9d:ijnqVHx5pqR/WMBiXbQ
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Targets
-
-
Target
6b35cc63b0524fc38107e7f8aa418604a8f69dc5f5cfa97d50ee036ad0ed8de7
-
Size
1.8MB
-
MD5
c83471737e07303fced27de0fdafc21f
-
SHA1
53bab21cf01f8bec0123a12722fd7b02172f26a1
-
SHA256
6b35cc63b0524fc38107e7f8aa418604a8f69dc5f5cfa97d50ee036ad0ed8de7
-
SHA512
7a3aeb1e0b7393f079c029acf78030d61c39442e15052551e6436ab6e58962e7a47bb18d47c6e63341326749b64ddb442c809ec9b3d4cd2f7cd23a7de3fb7d57
-
SSDEEP
49152:i3/bnQhPVHnxFCILpB0PO5U/WMBjuR3OCjAc2yu9d:ijnqVHx5pqR/WMBiXbQ
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-