amadey | 4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7 | Triage

Submit
Reports

Overview

overview

Static

static

3

4dff851bc8...c7.exe

windows10-2004-x64

Resubmissions

26-09-2024 23:17

240926-2943gstaqm 10

26-09-2024 22:37

240926-2ka34s1gjk 10

Sharing

General

Target

4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7
Size

1.9MB
Sample

240926-2943gstaqm
MD5

163783e79ea2e3dba698f5933e4c3561
SHA1

5c411b62b7ac82cde4dee6e7e70f703535066600
SHA256

4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7
SHA512

5152be8ce316edd89b284b02c11b18a3dbe4753b12c85db5aded4bd65bb7005a0d9d323656b47cc7b6a8c82a467019887a9dcad21afbca10d7e86e19810c558e
SSDEEP

24576:KxNAljwnaibmh5gCig1P5weI1gN3hrO1f7C2TLtTleRcGsLBr9Oi7B3PbaoU5BWw:OqwqHZV0f7CE7Oi70H5BWf4Z

Score

10^/10

amadey fed3aa discovery evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7.exe

Resource

win10v2004-20240802-en

amadey fed3aa discovery evasion persistence trojan

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Targets

- Target
  
  4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7
- Size
  
  1.9MB
- MD5
  
  163783e79ea2e3dba698f5933e4c3561
- SHA1
  
  5c411b62b7ac82cde4dee6e7e70f703535066600
- SHA256
  
  4dff851bc8eef01f9edc43742ace87e10d2dfd4461f180635b842f180b8beac7
- SHA512
  
  5152be8ce316edd89b284b02c11b18a3dbe4753b12c85db5aded4bd65bb7005a0d9d323656b47cc7b6a8c82a467019887a9dcad21afbca10d7e86e19810c558e
- SSDEEP
  
  24576:KxNAljwnaibmh5gCig1P5weI1gN3hrO1f7C2TLtTleRcGsLBr9Oi7B3PbaoU5BWw:OqwqHZV0f7CE7Oi70H5BWf4Z
Score

10^/10

amadey fed3aa discovery evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyfed3aadiscoveryevasionpersistencetrojan

© 2018-2025

Terms | Privacy