Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    256158683a6f1768975bfb27ea9d46ac80dfeb4c27960dfa95ebfc07c5afa5b9

  • Size

    1.8MB

  • Sample

    240428-qnqr7agg29

  • MD5

    ee38ca2353a49754ff29fa865b5190ef

  • SHA1

    cf5838cc3d550d3fae6626b6c6a3182f9fc793d8

  • SHA256

    256158683a6f1768975bfb27ea9d46ac80dfeb4c27960dfa95ebfc07c5afa5b9

  • SHA512

    204ae72a19eb7f5ca98543f63ea94642e69232862b7ba86beab755795888201b7b7621099c33315541c91a0f15fa6ed294f794a6fcae14d19924ec15b661fb89

  • SSDEEP

    49152:e3/bnFNCFi8zcQ8PBo2hQHELANEEgjlExuL+rUl8bYj:ejnzgi8pGBouQHH6JExLoWbY

Score
10/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes
  • install_dir

    5454e6f062

  • install_file

    explorta.exe

  • strings_key

    c7a869c5ba1d72480093ec207994e2bf

  • url_paths

    /sev56rkm/index.php

rc4.plain

Targets

    • Target

      256158683a6f1768975bfb27ea9d46ac80dfeb4c27960dfa95ebfc07c5afa5b9

    • Size

      1.8MB

    • MD5

      ee38ca2353a49754ff29fa865b5190ef

    • SHA1

      cf5838cc3d550d3fae6626b6c6a3182f9fc793d8

    • SHA256

      256158683a6f1768975bfb27ea9d46ac80dfeb4c27960dfa95ebfc07c5afa5b9

    • SHA512

      204ae72a19eb7f5ca98543f63ea94642e69232862b7ba86beab755795888201b7b7621099c33315541c91a0f15fa6ed294f794a6fcae14d19924ec15b661fb89

    • SSDEEP

      49152:e3/bnFNCFi8zcQ8PBo2hQHELANEEgjlExuL+rUl8bYj:ejnzgi8pGBouQHH6JExLoWbY

    Score
    10/10
    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks