amadey

General

Target

c7dc30fd00d20a180d493199f3c2a8c5d110cde829f8f683faae07f7583648bc
Size

1.7MB
Sample

240522-dlaa7sac53
MD5

89be485181f962da57cb671384f7877c
SHA1

b36934e6a863937d9fd3996b36e07ae89bae3576
SHA256

c7dc30fd00d20a180d493199f3c2a8c5d110cde829f8f683faae07f7583648bc
SHA512

fb1da6491fd80d93f2e8cb344f9ed09ef2ce117da51c49e15a077a60b568123574b292d66ecdb0a3c876dd79fc6aec10c1996b84ac0a2190a8423c456c30b105
SSDEEP

24576:J5kyJj3YU+DzFcTJ28y1JmX3s5I1t+5eCuVCyrZnKt9T1VNsF3wKtwtBB5cVZd4B:EyUUuIJgCc50zIAZQ95HsawrVVnTdm

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Targets

- Target
  
  c7dc30fd00d20a180d493199f3c2a8c5d110cde829f8f683faae07f7583648bc
- Size
  
  1.7MB
- MD5
  
  89be485181f962da57cb671384f7877c
- SHA1
  
  b36934e6a863937d9fd3996b36e07ae89bae3576
- SHA256
  
  c7dc30fd00d20a180d493199f3c2a8c5d110cde829f8f683faae07f7583648bc
- SHA512
  
  fb1da6491fd80d93f2e8cb344f9ed09ef2ce117da51c49e15a077a60b568123574b292d66ecdb0a3c876dd79fc6aec10c1996b84ac0a2190a8423c456c30b105
- SSDEEP
  
  24576:J5kyJj3YU+DzFcTJ28y1JmX3s5I1t+5eCuVCyrZnKt9T1VNsF3wKtwtBB5cVZd4B:EyUUuIJgCc50zIAZQ95HsawrVVnTdm
Score

10^/10

amadey 18befc evasion themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2