amadey | 73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3 | Triage

Sharing

General

Target

73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3
Size

1.8MB
Sample

240724-g4ycjasckl
MD5

b2c7ce6fe0d3fb9cd8b518258c085bde
SHA1

b8144cc4f366319c62dde4a6abb1eeaec368a41f
SHA256

73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3
SHA512

c15793c6c22c3996b015dee8f9d640b698f3d302225dae3312a1b0e7784bdcddbf1f88a0e5f437365d8a4f2e84262020b2ccccbdb9dc6599a8bd79537d2d7aee
SSDEEP

49152:+mMayu1j6bP+c9Uw5obU2lZTfQBkDaaDEeAfB4XxiI:3MDT+aUw2XykDareAfer

Score

10^/10

amadey stealc 4dd39d sila discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

sila

C2

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Targets

- Target
  
  73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3
- Size
  
  1.8MB
- MD5
  
  b2c7ce6fe0d3fb9cd8b518258c085bde
- SHA1
  
  b8144cc4f366319c62dde4a6abb1eeaec368a41f
- SHA256
  
  73b18034b92e7b3dd1ec7694c1aa14acf221c8b4e82ae2ffa8e748d74d3fe6b3
- SHA512
  
  c15793c6c22c3996b015dee8f9d640b698f3d302225dae3312a1b0e7784bdcddbf1f88a0e5f437365d8a4f2e84262020b2ccccbdb9dc6599a8bd79537d2d7aee
- SSDEEP
  
  49152:+mMayu1j6bP+c9Uw5obU2lZTfQBkDaaDEeAfB4XxiI:3MDT+aUw2XykDareAfer
Score

10^/10

amadey stealc 4dd39d sila discovery evasion persistence stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeystealc4dd39dsiladiscoveryevasionpersistencestealertrojan

behavioral2

amadeystealc4dd39dsiladiscoveryevasionpersistencestealertrojan