General
-
Target
68a58d2e7921315838e36ba04ff25bc88661851403e4ddbf9337c9cbdf1fb5ac
-
Size
1.5MB
-
Sample
240524-ace9baec59
-
MD5
a9caef7db4a30397e409d2adcfab9038
-
SHA1
2bff200a21f36ab7426679db954c351a5c934d34
-
SHA256
68a58d2e7921315838e36ba04ff25bc88661851403e4ddbf9337c9cbdf1fb5ac
-
SHA512
37d626552df1ead838bf76a1472538d061947232a75eb014c780c2151b637d7ccf61027b0d8e117a18dd2411a74165bc4851e03be16d44aba790fe3bac6d4d3f
-
SSDEEP
24576:tvDqbiBdtLHWsK+kfDU7cWDsHHhpttJmvQJZOqSDNwVwjWjsKwfAQGewp:FDPJLHGPDUY/nNtSQeDNMjCAX9
Malware Config
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Targets
-
-
Target
68a58d2e7921315838e36ba04ff25bc88661851403e4ddbf9337c9cbdf1fb5ac
-
Size
1.5MB
-
MD5
a9caef7db4a30397e409d2adcfab9038
-
SHA1
2bff200a21f36ab7426679db954c351a5c934d34
-
SHA256
68a58d2e7921315838e36ba04ff25bc88661851403e4ddbf9337c9cbdf1fb5ac
-
SHA512
37d626552df1ead838bf76a1472538d061947232a75eb014c780c2151b637d7ccf61027b0d8e117a18dd2411a74165bc4851e03be16d44aba790fe3bac6d4d3f
-
SSDEEP
24576:tvDqbiBdtLHWsK+kfDU7cWDsHHhpttJmvQJZOqSDNwVwjWjsKwfAQGewp:FDPJLHGPDUY/nNtSQeDNMjCAX9
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-