Overview

overview

10

Static

static

3

30b7b1795a...0d.exe

windows7-x64

10

30b7b1795a...0d.exe

windows10-2004-x64

10

Resubmissions

25/07/2024, 16:02

240725-tg87qsygnl 10

25/07/2024, 14:29

240725-rtm4xstdkk 10

23/07/2024, 13:05

240723-qbxd7s1epr 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    30b7b1795af4fa8f43cdf9595f5a266ddfa407e9e3bab55b0684618efc6bbd0d

  • Size

    1.8MB

  • Sample

    240725-rtm4xstdkk

  • MD5

    927614bdb1fff68b49468bc4a3886f36

  • SHA1

    e684e796b2d93374c80e94d5b77fdd50c194a0d4

  • SHA256

    30b7b1795af4fa8f43cdf9595f5a266ddfa407e9e3bab55b0684618efc6bbd0d

  • SHA512

    b8c84b98902d8b9b942d8b928a65e7f23465d773f9751f64695e011717ac84257d9d736781c7e9c239ed27b481f1c7fca5a62a2ea3f255797f868e6d7a7829e7

  • SSDEEP

    49152:Hp1xNjgKwcs8ktH3FxhFb+9pzyqUnntttX0o:Jr+3csfVVxXbmp2q05X0o

Score
10/10
amadeye76b71discoveryevasiontrojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain

Targets

    • Target

      30b7b1795af4fa8f43cdf9595f5a266ddfa407e9e3bab55b0684618efc6bbd0d

    • Size

      1.8MB

    • MD5

      927614bdb1fff68b49468bc4a3886f36

    • SHA1

      e684e796b2d93374c80e94d5b77fdd50c194a0d4

    • SHA256

      30b7b1795af4fa8f43cdf9595f5a266ddfa407e9e3bab55b0684618efc6bbd0d

    • SHA512

      b8c84b98902d8b9b942d8b928a65e7f23465d773f9751f64695e011717ac84257d9d736781c7e9c239ed27b481f1c7fca5a62a2ea3f255797f868e6d7a7829e7

    • SSDEEP

      49152:Hp1xNjgKwcs8ktH3FxhFb+9pzyqUnntttX0o:Jr+3csfVVxXbmp2q05X0o

    Score
    10/10
    amadeye76b71discoveryevasiontrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks