General
-
Target
fbafbd2d04ccf9b8db353974e764df0d0a3d0691406b70daf7435222271967db
-
Size
1.9MB
-
Sample
240515-gnns6aca61
-
MD5
2e73b9e2765053f0161aa0ea34c6d1b2
-
SHA1
49f4dc0d4fa2e66f281ca67a5c3dc37b76282521
-
SHA256
fbafbd2d04ccf9b8db353974e764df0d0a3d0691406b70daf7435222271967db
-
SHA512
79e382bc44eb7bf81ee3a93a6ebe71720bece8a5b79ac77736a147ce58d36c7c165a6c6e55c8131060ff2f95bea34d1330270e0bd444392890b2a236de06869a
-
SSDEEP
49152:I0iOnygNYTF9UCDnVDC5z88nMiQLosj6vLpWHXP7F6bof:IQLYfnNoz88nQhMdWHRr
Malware Config
Extracted
amadey
4.20
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Targets
-
-
Target
fbafbd2d04ccf9b8db353974e764df0d0a3d0691406b70daf7435222271967db
-
Size
1.9MB
-
MD5
2e73b9e2765053f0161aa0ea34c6d1b2
-
SHA1
49f4dc0d4fa2e66f281ca67a5c3dc37b76282521
-
SHA256
fbafbd2d04ccf9b8db353974e764df0d0a3d0691406b70daf7435222271967db
-
SHA512
79e382bc44eb7bf81ee3a93a6ebe71720bece8a5b79ac77736a147ce58d36c7c165a6c6e55c8131060ff2f95bea34d1330270e0bd444392890b2a236de06869a
-
SSDEEP
49152:I0iOnygNYTF9UCDnVDC5z88nMiQLosj6vLpWHXP7F6bof:IQLYfnNoz88nQhMdWHRr
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-