General
-
Target
fe6529bb78be50e3b356d01cdd36a896b727cea0cf227af31f5481980a4a9464
-
Size
1.8MB
-
Sample
240727-2cgwpa1gmk
-
MD5
216b5dbaa598e3057bf7aa05f3dc38d4
-
SHA1
0e0013cd8224732051193f0efd6e279d770b6cc6
-
SHA256
fe6529bb78be50e3b356d01cdd36a896b727cea0cf227af31f5481980a4a9464
-
SHA512
827461377b924c77a2e268e38a320a3871101b531f5d420dbf568da6cae925e1a965e65127783a00d61409400704d9fc1ea84c141c21c2a650d61542beadd065
-
SSDEEP
24576:2tPh7vx0UflDCOotsgceqP56w0MmK1SgmMVOmArFekdqYhd5iwa0dtAoTzLkvue1:2tPPjJqGB6JkSgm3mYv5Dj4o/L0ck5
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Targets
-
-
Target
fe6529bb78be50e3b356d01cdd36a896b727cea0cf227af31f5481980a4a9464
-
Size
1.8MB
-
MD5
216b5dbaa598e3057bf7aa05f3dc38d4
-
SHA1
0e0013cd8224732051193f0efd6e279d770b6cc6
-
SHA256
fe6529bb78be50e3b356d01cdd36a896b727cea0cf227af31f5481980a4a9464
-
SHA512
827461377b924c77a2e268e38a320a3871101b531f5d420dbf568da6cae925e1a965e65127783a00d61409400704d9fc1ea84c141c21c2a650d61542beadd065
-
SSDEEP
24576:2tPh7vx0UflDCOotsgceqP56w0MmK1SgmMVOmArFekdqYhd5iwa0dtAoTzLkvue1:2tPPjJqGB6JkSgm3mYv5Dj4o/L0ck5
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-