amadey | c41a1daa7b28eede88cc588778503224a46f4399f2f5b27b804530f7f1abf15d | Triage

Submit
Reports

Overview

overview

Static

static

3

c41a1daa7b...5d.exe

windows10-2004-x64

Resubmissions

02/05/2024, 19:14

240502-xxn4aaeb7t 10

02/05/2024, 19:12

240502-xwnfcsgb65 10

02/05/2024, 19:00

240502-xnvjpsga77 10

Sharing

Copy URL Twitter E-mail

General

Target

c41a1daa7b28eede88cc588778503224a46f4399f2f5b27b804530f7f1abf15d
Size

1.8MB
Sample

240502-xxn4aaeb7t
MD5

0d1b47ba8ee79e3116f92ee0c4e05901
SHA1

cd28061e61e07feffd717132ff7f4217fc015c07
SHA256

c41a1daa7b28eede88cc588778503224a46f4399f2f5b27b804530f7f1abf15d
SHA512

46661640651df3eaa7777159b1e7aae07fa8c8d2773fe8f3e02f6b43fad67ffbfbab3a5d0a332834d8e24295e6a00b34f1923709f8ba01141bb429c4fce09b75
SSDEEP

49152:WgBty/Xlt6dcqNGi/35hcozj5TGRYG6iqW:WgBty/T9qNGygozNTAfl

Score

10^/10

amadey evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c41a1daa7b28eede88cc588778503224a46f4399f2f5b27b804530f7f1abf15d.exe

Resource

win10v2004-20240226-en

amadey evasion trojan

windows10-2004-x64

12 signatures

1800 seconds

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Targets

- Target
  
  c41a1daa7b28eede88cc588778503224a46f4399f2f5b27b804530f7f1abf15d
- Size
  
  1.8MB
- MD5
  
  0d1b47ba8ee79e3116f92ee0c4e05901
- SHA1
  
  cd28061e61e07feffd717132ff7f4217fc015c07
- SHA256
  
  c41a1daa7b28eede88cc588778503224a46f4399f2f5b27b804530f7f1abf15d
- SHA512
  
  46661640651df3eaa7777159b1e7aae07fa8c8d2773fe8f3e02f6b43fad67ffbfbab3a5d0a332834d8e24295e6a00b34f1923709f8ba01141bb429c4fce09b75
- SSDEEP
  
  49152:WgBty/Xlt6dcqNGi/35hcozj5TGRYG6iqW:WgBty/T9qNGygozNTAfl
Score

10^/10

amadey evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasiontrojan

© 2018-2025

Terms | Privacy