amadey | 65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3 | Triage

Submit
Reports

Overview

overview

Static

static

3

65b13c88ba...c3.exe

windows11-21h2-x64

Resubmissions

08-05-2024 17:38

240508-v78vbshh68 10

07-05-2024 20:46

240507-zkn9mafa5t 10

07-05-2024 15:51

240507-tazpqagb25 10

01-05-2024 23:14

240501-28cxlsca92 10

Sharing

General

Target

65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
Size

1.9MB
Sample

240508-v78vbshh68
MD5

cf02058ce59cb0d1f9e9f3146316717f
SHA1

9c276c5d673ad974c0c49e55be5e1952100bbc56
SHA256

65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
SHA512

5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7
SSDEEP

49152:V3/bnL0qZ+XLHP19pmfybjyCIaIzRGuyW2/iC2Xxx9lB:VjnLnYXx90abbI3Dy/iC2Xr

Score

10^/10

amadey evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe

Resource

win11-20240426-en

amadey evasion trojan

windows11-21h2-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Targets

- Target
  
  65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
- Size
  
  1.9MB
- MD5
  
  cf02058ce59cb0d1f9e9f3146316717f
- SHA1
  
  9c276c5d673ad974c0c49e55be5e1952100bbc56
- SHA256
  
  65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
- SHA512
  
  5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7
- SSDEEP
  
  49152:V3/bnL0qZ+XLHP19pmfybjyCIaIzRGuyW2/iC2Xxx9lB:VjnLnYXx90abbI3Dy/iC2Xr
Score

10^/10

amadey evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyevasiontrojan

© 2018-2024

Terms | Privacy