amadey

General

Target

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd
Size

1.8MB
Sample

240514-2frkascc26
MD5

a99882f9b749bc3828ae0bbba5f8ab42
SHA1

245713f0928010e1534fd2ddef7788b77ebeabde
SHA256

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd
SHA512

9c641af50a8132673e0af32f1eee948bba1a4d6156e76d1141f7fcefc8078b8abe8360c50878ba95899669ee952b988d0169eb9bc3a0a246d9a91af60cb151a5
SSDEEP

49152:daXs8646GIMTbxlNYvYrhxajmczF772EPUlD0:MX9f6GI+NP2uJUaEPUK

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Targets

- Target
  
  ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd
- Size
  
  1.8MB
- MD5
  
  a99882f9b749bc3828ae0bbba5f8ab42
- SHA1
  
  245713f0928010e1534fd2ddef7788b77ebeabde
- SHA256
  
  ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd
- SHA512
  
  9c641af50a8132673e0af32f1eee948bba1a4d6156e76d1141f7fcefc8078b8abe8360c50878ba95899669ee952b988d0169eb9bc3a0a246d9a91af60cb151a5
- SSDEEP
  
  49152:daXs8646GIMTbxlNYvYrhxajmczF772EPUlD0:MX9f6GI+NP2uJUaEPUK
Score

10^/10

amadey zgrat evasion rat trojan privateloader bootkit execution loader persistence themida
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- Modifies firewall policy service
  evasion
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2