amadey

General

Target

b7dc5b4f4be3d2c4c76937c27442a68694b473d5ca110ffd13cf6268cd3737f8
Size

1.7MB
Sample

240509-tll8rsdf32
MD5

9caa94f8c83dffabcec5bbd3589f9862
SHA1

abc713e2bfe145046f4e5cb5bd20e47bd041a95c
SHA256

b7dc5b4f4be3d2c4c76937c27442a68694b473d5ca110ffd13cf6268cd3737f8
SHA512

a3e639f416178437a9f9c0ff474b2cbe440d42ef7a6fafd4315e3c145cf78816799a76247675892b6232a3e0841222424979637b7280d02678bdaa571fe2dfa9
SSDEEP

49152:JwmwgUTbxbs9MWYhHXNO6atXkbMPIncuoUf7fslR:Jw7bbxZWYhHXM4bM8cofbslR

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Targets

- Target
  
  b7dc5b4f4be3d2c4c76937c27442a68694b473d5ca110ffd13cf6268cd3737f8
- Size
  
  1.7MB
- MD5
  
  9caa94f8c83dffabcec5bbd3589f9862
- SHA1
  
  abc713e2bfe145046f4e5cb5bd20e47bd041a95c
- SHA256
  
  b7dc5b4f4be3d2c4c76937c27442a68694b473d5ca110ffd13cf6268cd3737f8
- SHA512
  
  a3e639f416178437a9f9c0ff474b2cbe440d42ef7a6fafd4315e3c145cf78816799a76247675892b6232a3e0841222424979637b7280d02678bdaa571fe2dfa9
- SSDEEP
  
  49152:JwmwgUTbxbs9MWYhHXNO6atXkbMPIncuoUf7fslR:Jw7bbxZWYhHXM4bM8cofbslR
Score

10^/10

amadey evasion themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2