amadey | 61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd | Triage

Submit
Reports

Overview

overview

Static

static

7

cryptolaemus

windows10-2004-x64

cryptolaemus

windows11-21h2-x64

Sharing

General

Target

61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd
Size

1.7MB
Sample

240523-2vnf7acd21
MD5

077d26e77094024063e926d5bb6be1ea
SHA1

a64d41d37c1ae9da2cd814bf4b3d4bd9999a879c
SHA256

61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd
SHA512

75565519eaf7b7a0ea935d865745bb9d7eb4c16f1ca7b9c2b38b006c02dd9893c9ee4be3c4534593ea2da99771f6cd68d0e6334c8ee82436d10da260a4e18763
SSDEEP

24576:2eoBQ7elePDKl/ndJLD4Aq48NjFqq6VhClLR1wB80BGcJxitU25xt3D84WpL4ZxV:N2QyleLKhddDdInN1UBG1U2RD7GLIqo

Score

10^/10

amadey 18befc evasion themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd.exe

Resource

win10v2004-20240426-en

amadey 18befc evasion themida trojan

windows10-2004-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd.exe

Resource

win11-20240426-en

amadey 18befc evasion themida trojan

windows11-21h2-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Targets

- Target
  
  61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd
- Size
  
  1.7MB
- MD5
  
  077d26e77094024063e926d5bb6be1ea
- SHA1
  
  a64d41d37c1ae9da2cd814bf4b3d4bd9999a879c
- SHA256
  
  61a74fc2932e5366c94003627a076983386b0b99749b8056d044a0b47f4b19cd
- SHA512
  
  75565519eaf7b7a0ea935d865745bb9d7eb4c16f1ca7b9c2b38b006c02dd9893c9ee4be3c4534593ea2da99771f6cd68d0e6334c8ee82436d10da260a4e18763
- SSDEEP
  
  24576:2eoBQ7elePDKl/ndJLD4Aq48NjFqq6VhClLR1wB80BGcJxitU25xt3D84WpL4ZxV:N2QyleLKhddDdInN1UBG1U2RD7GLIqo
Score

10^/10

amadey 18befc evasion themida trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

amadey18befcevasionthemidatrojan

behavioral2

amadey18befcevasionthemidatrojan

© 2018-2024

Terms | Privacy