amadey | b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e | Triage

Submit
Reports

Overview

overview

Static

static

3

b87554d3b5...2e.exe

windows7-x64

b87554d3b5...2e.exe

windows10-2004-x64

Sharing

General

Target

b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e
Size

1.8MB
Sample

240903-c6qcgsweqg
MD5

770569784896b9f4265199290d40887b
SHA1

bee501ab46012b693f825446bc92f0b5a21f8851
SHA256

b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e
SHA512

ffbbdab985370c1ed504b796ff956f789f3dbb2fb7f75cb8dc740d773e082d3db1ca67781c6e78930592e4d06d431053339b1885cda8207fe516542be1a262ce
SSDEEP

49152:mcKca9Fi9hD+TeUdG/X+rQVZ5kNRsETkKn7ay:m5uhD20/XmQVZ5kNRs+kKn7a

Score

10^/10

amadey stealc c7817d leva discovery evasion stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe

Resource

win7-20240708-en

amadey stealc c7817d leva discovery evasion stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e.exe

Resource

win10v2004-20240802-en

amadey stealc c7817d leva discovery evasion stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes

install_dir
0e8d0864aa
install_file
svoutse.exe
strings_key
5481b88a6ef75bcf21333988a4e47048
url_paths
/Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

leva

C2

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Targets

- Target
  
  b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e
- Size
  
  1.8MB
- MD5
  
  770569784896b9f4265199290d40887b
- SHA1
  
  bee501ab46012b693f825446bc92f0b5a21f8851
- SHA256
  
  b87554d3b5377f3800ed096efe3b6e4d02c7ad9e3bdf1f71a66ed47ae479662e
- SHA512
  
  ffbbdab985370c1ed504b796ff956f789f3dbb2fb7f75cb8dc740d773e082d3db1ca67781c6e78930592e4d06d431053339b1885cda8207fe516542be1a262ce
- SSDEEP
  
  49152:mcKca9Fi9hD+TeUdG/X+rQVZ5kNRsETkKn7ay:m5uhD20/XmQVZ5kNRs+kKn7a
Score

10^/10

amadey stealc c7817d leva discovery evasion stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeystealcc7817dlevadiscoveryevasionstealertrojan

behavioral2

amadeystealcc7817dlevadiscoveryevasionstealertrojan

© 2018-2025

Terms | Privacy