amadey | 678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481 | Triage

Submit
Reports

Overview

overview

Static

static

3

678e3c7515...81.exe

windows10-2004-x64

Resubmissions

21-09-2024 14:03

240921-rcvgnswbjc 10

21-09-2024 14:02

240921-rcclvswdkp 10

19-09-2024 22:36

240919-2jfxzavbkh 10

Sharing

General

Target

678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481
Size

1.8MB
Sample

240921-rcclvswdkp
MD5

1bcbea527033a37d2ad097f1e308cc9a
SHA1

100bd0670891ded1c349e07a314646b9d1e91c22
SHA256

678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481
SHA512

7ec2c722efc234efa6dcf886adc6d06c82a860cd1ac1ed63a137eb767e59227ea40150b5d8ee093bd51fdb1b70ecd967fcc70f96b6fa1d1fe213e1b602b0172d
SSDEEP

49152:byylb588O4NhbiEAQNle/H/rPz50lHuJ5Jpu:J5vbhbiE/N4frPcWr

Score

10^/10

amadey fed3aa discovery evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481.exe

Resource

win10v2004-20240802-uk

amadey fed3aa discovery evasion trojan

windows10-2004-x64

16 signatures

1800 seconds

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Targets

- Target
  
  678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481
- Size
  
  1.8MB
- MD5
  
  1bcbea527033a37d2ad097f1e308cc9a
- SHA1
  
  100bd0670891ded1c349e07a314646b9d1e91c22
- SHA256
  
  678e3c75154bedc191abb4f8571c2995d5c4eda733eae9425714b9c9df241481
- SHA512
  
  7ec2c722efc234efa6dcf886adc6d06c82a860cd1ac1ed63a137eb767e59227ea40150b5d8ee093bd51fdb1b70ecd967fcc70f96b6fa1d1fe213e1b602b0172d
- SSDEEP
  
  49152:byylb588O4NhbiEAQNle/H/rPz50lHuJ5Jpu:J5vbhbiE/N4frPcWr
Score

10^/10

amadey fed3aa discovery evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyfed3aadiscoveryevasiontrojan

© 2018-2024

Terms | Privacy