amadey | 1d8086b3196add42fa8fcb268dfb11431f1f238ef81dd91d405749951af791ff | Triage

Sharing

General

Target

1d8086b3196add42fa8fcb268dfb11431f1f238ef81dd91d405749951af791ff
Size

1.8MB
Sample

240905-tstw7avfrh
MD5

b030c4e788c47630a8179db51087212e
SHA1

b8267d00892c758f32a34a48c7ebc18e1ab1d20b
SHA256

1d8086b3196add42fa8fcb268dfb11431f1f238ef81dd91d405749951af791ff
SHA512

749c8f662a4e344c09be374e434cb85b4dea2503e4573764347257796ca14b1783ded3d931e6f90233dc54bb090d5538b189a345789c3cb3a86282be57217e1c
SSDEEP

49152:hsrZA8HjF1FeGrfU+s7tcaKDq0pKxQQ/HCl889nF0zrUL:GrZXFffU7tg+0wDHC7nF0zr4

Score

10^/10

amadey c7817d discovery evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes

install_dir
0e8d0864aa
install_file
svoutse.exe
strings_key
5481b88a6ef75bcf21333988a4e47048
url_paths
/Dem7kTu/index.php

rc4.plain

Targets

- Target
  
  1d8086b3196add42fa8fcb268dfb11431f1f238ef81dd91d405749951af791ff
- Size
  
  1.8MB
- MD5
  
  b030c4e788c47630a8179db51087212e
- SHA1
  
  b8267d00892c758f32a34a48c7ebc18e1ab1d20b
- SHA256
  
  1d8086b3196add42fa8fcb268dfb11431f1f238ef81dd91d405749951af791ff
- SHA512
  
  749c8f662a4e344c09be374e434cb85b4dea2503e4573764347257796ca14b1783ded3d931e6f90233dc54bb090d5538b189a345789c3cb3a86282be57217e1c
- SSDEEP
  
  49152:hsrZA8HjF1FeGrfU+s7tcaKDq0pKxQQ/HCl889nF0zrUL:GrZXFffU7tg+0wDHC7nF0zr4
Score

10^/10

amadey c7817d discovery evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyc7817ddiscoveryevasiontrojan

behavioral2

amadeyc7817ddiscoveryevasiontrojan