amadey

General

Target

20fe52f3ba934b9b7454c194f44d74d0.bin
Size

1.8MB
Sample

240622-c9tjbayaqp
MD5

0530a520a44d5927947c8241338d4c3a
SHA1

261eab0bba955b3585ae1bb9567d01781b85eda1
SHA256

03dbdf1025c35431c81c7df0c148470b8c0a179878957a75b870fb453540af62
SHA512

40e58489093ad6f6793045bf44d85fd07007269511c790b63d8f1aace9bf99cc4c1add3a1529310c9db8a195b66183be87663697261566e20e879f722a35b95c
SSDEEP

24576:edqMtdXfwmdfslmvheoloekogJ8jY1ZCi05sx7WR6Md9m82KZafp6dnS7G7HvN1k:edztdfdz5nloekoqt11IguCQ1GYHvLPI

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

C2

77.91.77.66:58709

Targets

- Target
  
  3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603.exe
- Size
  
  1.8MB
- MD5
  
  20fe52f3ba934b9b7454c194f44d74d0
- SHA1
  
  f38c3041926f329dac459bacce67850dc58ab15a
- SHA256
  
  3dca9b74c06babae491aef6495a256d6d26a4539cdc680b64ea4e0daee9cf603
- SHA512
  
  de74eaa8fcd2dc40da40f09e4c69f41c63282c1d70f352fe3e6f0b7ef70318f5252e520574d428f1bd5c24dc6d55acab9f109b6a6c36718df1f9ead25effccfc
- SSDEEP
  
  24576:1/JK2aIjA7qco3fFT9eSzR160c8LE8x+dyh9tfzHEBZ/QJc0erHIuoDaFtTNihZi:VlfA7kvFJRPpAC+UdTmtQCtouortLka
Score

10^/10

amadey risepro 0e6740 evasion stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

5

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2