General
-
Target
4b06de871b297f9208c7211bf674b239fa8c83a6996746d6991bbdaa884a0e67
-
Size
1.8MB
-
Sample
240428-dzsppsfd6z
-
MD5
863fdb1b3a20d1061ab13283438ff9ba
-
SHA1
976b66a2ce413ca6b8514b369f68eb4a237c1436
-
SHA256
4b06de871b297f9208c7211bf674b239fa8c83a6996746d6991bbdaa884a0e67
-
SHA512
a0cce4013b2e76af00ba61fa9b72e9e27341d15d7de6d834f2289329d69ec3e9b0f41a4f1f60f2506a94f0c0114e626c20b49307fd81083b2189405b1e1f858c
-
SSDEEP
49152:Uqo9Kvu7k6EyLD4j6xAwOA1I31VZu20/skfm:US4bLkj6xAPAu3c2g
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Targets
-
-
Target
4b06de871b297f9208c7211bf674b239fa8c83a6996746d6991bbdaa884a0e67
-
Size
1.8MB
-
MD5
863fdb1b3a20d1061ab13283438ff9ba
-
SHA1
976b66a2ce413ca6b8514b369f68eb4a237c1436
-
SHA256
4b06de871b297f9208c7211bf674b239fa8c83a6996746d6991bbdaa884a0e67
-
SHA512
a0cce4013b2e76af00ba61fa9b72e9e27341d15d7de6d834f2289329d69ec3e9b0f41a4f1f60f2506a94f0c0114e626c20b49307fd81083b2189405b1e1f858c
-
SSDEEP
49152:Uqo9Kvu7k6EyLD4j6xAwOA1I31VZu20/skfm:US4bLkj6xAPAu3c2g
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-