General

  • Target

    a335c94809326a611bca086974fb68b4e595af572b05adf1fc277f83d7c7a0ce

  • Size

    1.8MB

  • Sample

    240911-k7ldxstdjc

  • MD5

    46d031c71e21880a7c817a23b2b60eaf

  • SHA1

    36de7da042335b520865321f7fe2710ca2fdedfb

  • SHA256

    a335c94809326a611bca086974fb68b4e595af572b05adf1fc277f83d7c7a0ce

  • SHA512

    1cf648972a26e5337314a96a96018a42010e6f6dc1958eb07cfff35b49ae220821ea5200f2f23dd8c59308558fdf4021bf6b0b7dc010462fe451ce5f25665f12

  • SSDEEP

    49152:lrbFDosDfW4EOgDdTMlynU8bRHbSwhVQuAhG:lPFDrT7oelZYQwUG

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Targets

    • Target

      a335c94809326a611bca086974fb68b4e595af572b05adf1fc277f83d7c7a0ce

    • Size

      1.8MB

    • MD5

      46d031c71e21880a7c817a23b2b60eaf

    • SHA1

      36de7da042335b520865321f7fe2710ca2fdedfb

    • SHA256

      a335c94809326a611bca086974fb68b4e595af572b05adf1fc277f83d7c7a0ce

    • SHA512

      1cf648972a26e5337314a96a96018a42010e6f6dc1958eb07cfff35b49ae220821ea5200f2f23dd8c59308558fdf4021bf6b0b7dc010462fe451ce5f25665f12

    • SSDEEP

      49152:lrbFDosDfW4EOgDdTMlynU8bRHbSwhVQuAhG:lPFDrT7oelZYQwUG

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks