Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    7b15f9a7c0001c2f959e1fd64e239ba8ec4ed49ad9828aa7ad603ae5be846e2f

  • Size

    1.8MB

  • Sample

    240519-plsckahb6w

  • MD5

    16e41bf10edd66dc4a0f472193f9bdf7

  • SHA1

    f36900689bafe0b56cd26e4e3966b8250ad67976

  • SHA256

    7b15f9a7c0001c2f959e1fd64e239ba8ec4ed49ad9828aa7ad603ae5be846e2f

  • SHA512

    8d0584b67035eb1a60cb9e729e64f9d62119a6e34c6ed5ae3289db61b9275d3dfbc3becd244e279ca83427c14c29122a75b8e014401a073f6dd45c45e47536f7

  • SSDEEP

    24576:7Qf7S5f6usyqf/vHtkasg5CyAD9figmWsAfjf2fbBhlq8LaXU4mwclVaSU5g19vv:gSEtSa/XApfrmWs/taoa2r/vF11

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Targets

    • Target

      7b15f9a7c0001c2f959e1fd64e239ba8ec4ed49ad9828aa7ad603ae5be846e2f

    • Size

      1.8MB

    • MD5

      16e41bf10edd66dc4a0f472193f9bdf7

    • SHA1

      f36900689bafe0b56cd26e4e3966b8250ad67976

    • SHA256

      7b15f9a7c0001c2f959e1fd64e239ba8ec4ed49ad9828aa7ad603ae5be846e2f

    • SHA512

      8d0584b67035eb1a60cb9e729e64f9d62119a6e34c6ed5ae3289db61b9275d3dfbc3becd244e279ca83427c14c29122a75b8e014401a073f6dd45c45e47536f7

    • SSDEEP

      24576:7Qf7S5f6usyqf/vHtkasg5CyAD9figmWsAfjf2fbBhlq8LaXU4mwclVaSU5g19vv:gSEtSa/XApfrmWs/taoa2r/vF11

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks