amadey | a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b | Triage

Resubmissions

29-06-2024 12:49

240629-p2gk1axgjc 10

02-06-2024 21:31

240602-1c6dlsff6v 10

02-06-2024 14:50

240602-r7t5dsfh36 10

Sharing

General

Target

a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b
Size

1.8MB
Sample

240629-p2gk1axgjc
MD5

122fad17c6aff4733e392eca0386a7b4
SHA1

0be0d823262772d257a99b453d71f87fc3f255c8
SHA256

a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b
SHA512

dd3a8b8a699c977d6683d5a17e51826a738b64ae170ecc455ec02821eff490619b3709a10347ccf83764dad48ad392e6e43d85db772b585dad07aad24aa86153
SSDEEP

24576:C2smJre8lecMoNYrFeSJ8MnkvcDmUPwQ8MIVtCUtqegEqGsw2tcGrdIeTfygjYV0:C2He0ZMoNG6H9BMIVtPo/MO8edcVQA0

Score

10^/10

amadey 49e482 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Targets

- Target
  
  a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b
- Size
  
  1.8MB
- MD5
  
  122fad17c6aff4733e392eca0386a7b4
- SHA1
  
  0be0d823262772d257a99b453d71f87fc3f255c8
- SHA256
  
  a4e6e73fee309c3d0479dda205af2805244cdbcd05593b8fc1b79d824aa2d60b
- SHA512
  
  dd3a8b8a699c977d6683d5a17e51826a738b64ae170ecc455ec02821eff490619b3709a10347ccf83764dad48ad392e6e43d85db772b585dad07aad24aa86153
- SSDEEP
  
  24576:C2smJre8lecMoNYrFeSJ8MnkvcDmUPwQ8MIVtCUtqegEqGsw2tcGrdIeTfygjYV0:C2He0ZMoNG6H9BMIVtPo/MO8edcVQA0
Score

10^/10

amadey 49e482 evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadey49e482evasiontrojan