Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6fa8d2a8e9da69d547c4d1873b3cb0f1abf1502c0dba33c047e6ced1304d0520

  • Size

    1.8MB

  • Sample

    240523-jz4pvsac83

  • MD5

    acf3322bc23c39b03e7af19420741869

  • SHA1

    388ca68ea08f6ee697e32c4b5495f270e8550cf8

  • SHA256

    6fa8d2a8e9da69d547c4d1873b3cb0f1abf1502c0dba33c047e6ced1304d0520

  • SHA512

    e8a3d60ce538df9cb436ca888ac02ef8aea146c43b420415bd4b6c9f44e2f45a0be8bae7d47eb3dc1bcfe83f0e46c099d476da8197bd3e1dbf0449e2953e3f20

  • SSDEEP

    49152:f5MJYixn8qIz93v4jpATYjx/3e1+hgc4zAhu:2z58xp3dYjJOkgc4zP

Score
10/10
amadey18befcevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain

Targets

    • Target

      6fa8d2a8e9da69d547c4d1873b3cb0f1abf1502c0dba33c047e6ced1304d0520

    • Size

      1.8MB

    • MD5

      acf3322bc23c39b03e7af19420741869

    • SHA1

      388ca68ea08f6ee697e32c4b5495f270e8550cf8

    • SHA256

      6fa8d2a8e9da69d547c4d1873b3cb0f1abf1502c0dba33c047e6ced1304d0520

    • SHA512

      e8a3d60ce538df9cb436ca888ac02ef8aea146c43b420415bd4b6c9f44e2f45a0be8bae7d47eb3dc1bcfe83f0e46c099d476da8197bd3e1dbf0449e2953e3f20

    • SSDEEP

      49152:f5MJYixn8qIz93v4jpATYjx/3e1+hgc4zAhu:2z58xp3dYjJOkgc4zP

    Score
    10/10
    amadey18befcevasionthemidatrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks