General
-
Target
7411d3399b9c2f589942eecffa11d2ef76b5cce4154918de41107a02d3cf7413
-
Size
1.7MB
-
Sample
240521-s8kssaag98
-
MD5
55722ad0acfcb5e80da700a4272804a8
-
SHA1
719c93f8c80a9d5ea07c5ef6539b99a07e61eaf1
-
SHA256
7411d3399b9c2f589942eecffa11d2ef76b5cce4154918de41107a02d3cf7413
-
SHA512
eee358c3705fb21feda57d919a5cd78b9a56704b70db6ecc7dbbebde94aa97673c3ef0d0e763713394a1966707d9e6ca7dc039f48498c8f8b5aba1a287ff7c41
-
SSDEEP
49152:M2tlbo3vG7K+c+yOxd88gIxMAdIG9eG0YJ4Kc5Y:M2tlkv9+Sh8xtdIG824KR
Malware Config
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Targets
-
-
Target
7411d3399b9c2f589942eecffa11d2ef76b5cce4154918de41107a02d3cf7413
-
Size
1.7MB
-
MD5
55722ad0acfcb5e80da700a4272804a8
-
SHA1
719c93f8c80a9d5ea07c5ef6539b99a07e61eaf1
-
SHA256
7411d3399b9c2f589942eecffa11d2ef76b5cce4154918de41107a02d3cf7413
-
SHA512
eee358c3705fb21feda57d919a5cd78b9a56704b70db6ecc7dbbebde94aa97673c3ef0d0e763713394a1966707d9e6ca7dc039f48498c8f8b5aba1a287ff7c41
-
SSDEEP
49152:M2tlbo3vG7K+c+yOxd88gIxMAdIG9eG0YJ4Kc5Y:M2tlkv9+Sh8xtdIG824KR
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-