Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4e237f1e26b298872f262865da75ad9d07fc8eaa62ccc4a1def4fe240429ad6d

  • Size

    1.8MB

  • Sample

    240519-nj6xhafe7t

  • MD5

    f66c34adf11e36c233d031b6e106e476

  • SHA1

    365f7e709018925711f8b0e8f7c6c9912f6f7e38

  • SHA256

    4e237f1e26b298872f262865da75ad9d07fc8eaa62ccc4a1def4fe240429ad6d

  • SHA512

    e8a4eb5789701e80dd093a350bccf3fce7c4b124f97c3225e4462491f404f72d788833009a8e409cb02ab3f982e5785542d940c16f3e8d20da77ae12fed126c4

  • SSDEEP

    49152:nW5ry23rhOU/472WpHf0rI03d22se696nx4HkQhbsLv6Imdw:Er53rh6CWVf0Uy2Zh96nobAKw

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Targets

    • Target

      4e237f1e26b298872f262865da75ad9d07fc8eaa62ccc4a1def4fe240429ad6d

    • Size

      1.8MB

    • MD5

      f66c34adf11e36c233d031b6e106e476

    • SHA1

      365f7e709018925711f8b0e8f7c6c9912f6f7e38

    • SHA256

      4e237f1e26b298872f262865da75ad9d07fc8eaa62ccc4a1def4fe240429ad6d

    • SHA512

      e8a4eb5789701e80dd093a350bccf3fce7c4b124f97c3225e4462491f404f72d788833009a8e409cb02ab3f982e5785542d940c16f3e8d20da77ae12fed126c4

    • SSDEEP

      49152:nW5ry23rhOU/472WpHf0rI03d22se696nx4HkQhbsLv6Imdw:Er53rh6CWVf0Uy2Zh96nobAKw

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks