General
-
Target
ae78bec31dc020206bcc638f93668cfa0a7c40cca352e322c1dd0885724f9f15
-
Size
1.8MB
-
Sample
240428-lyklpsda69
-
MD5
fc96a0737eae8312c6c4160e8e77a4c3
-
SHA1
0e42ce88f96ae08a4389a2611a73a610d95a762d
-
SHA256
ae78bec31dc020206bcc638f93668cfa0a7c40cca352e322c1dd0885724f9f15
-
SHA512
5226b641086f322d3fc13a186829163a46f54d02f0f21edb1b0f6457cc615554456d1693b48f3a2a4c4cabf354a4cc784009dccefbc4dfca0781826ff7d52797
-
SSDEEP
24576:f3nOcNWjHWfugPaJxzRkrUDNjZTbuyi0DXBc3rWhzqoMxu6SSKI6mUhxsRENjop+:/nJUCfzO5DXMZ7Ajsk8/Op
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Targets
-
-
Target
ae78bec31dc020206bcc638f93668cfa0a7c40cca352e322c1dd0885724f9f15
-
Size
1.8MB
-
MD5
fc96a0737eae8312c6c4160e8e77a4c3
-
SHA1
0e42ce88f96ae08a4389a2611a73a610d95a762d
-
SHA256
ae78bec31dc020206bcc638f93668cfa0a7c40cca352e322c1dd0885724f9f15
-
SHA512
5226b641086f322d3fc13a186829163a46f54d02f0f21edb1b0f6457cc615554456d1693b48f3a2a4c4cabf354a4cc784009dccefbc4dfca0781826ff7d52797
-
SSDEEP
24576:f3nOcNWjHWfugPaJxzRkrUDNjZTbuyi0DXBc3rWhzqoMxu6SSKI6mUhxsRENjop+:/nJUCfzO5DXMZ7Ajsk8/Op
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-