General
-
Target
61f13d89cc6845a3cc301fd6b87cc68b64546d0ede82b996e7257ca328075e4b
-
Size
1.8MB
-
Sample
240523-3xjrfsdh4x
-
MD5
8b2bede8fa1a6ab916e3c3891007f5a4
-
SHA1
77ed669f27793ce8e3f62eea4df918ed8ac1e12f
-
SHA256
61f13d89cc6845a3cc301fd6b87cc68b64546d0ede82b996e7257ca328075e4b
-
SHA512
cfe382b45d6d6f341941c97bd6ab8529423dfb2890a98dde69acbc688470d877796fa8a57840bf5e369fb4ca3ae57bbcc6f410280d81253e15be9dcf80c3bd6c
-
SSDEEP
49152:FDqhYuoBUr9dg5xR4xaKkXxVKKXZ3WY575PM:FOG5Ur7QR2ktYY575P
Malware Config
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Targets
-
-
Target
61f13d89cc6845a3cc301fd6b87cc68b64546d0ede82b996e7257ca328075e4b
-
Size
1.8MB
-
MD5
8b2bede8fa1a6ab916e3c3891007f5a4
-
SHA1
77ed669f27793ce8e3f62eea4df918ed8ac1e12f
-
SHA256
61f13d89cc6845a3cc301fd6b87cc68b64546d0ede82b996e7257ca328075e4b
-
SHA512
cfe382b45d6d6f341941c97bd6ab8529423dfb2890a98dde69acbc688470d877796fa8a57840bf5e369fb4ca3ae57bbcc6f410280d81253e15be9dcf80c3bd6c
-
SSDEEP
49152:FDqhYuoBUr9dg5xR4xaKkXxVKKXZ3WY575PM:FOG5Ur7QR2ktYY575P
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-