General

  • Target

    7554fab3381263ee14feeff91baff6c8fe981f8dd367800e7f4b930c908385e1

  • Size

    1.8MB

  • Sample

    240926-2mse6s1hml

  • MD5

    64a326e2e14c182ad069076d4efd6848

  • SHA1

    fcdd7a09df0a30c611ed4e3ffc338839c089d92e

  • SHA256

    7554fab3381263ee14feeff91baff6c8fe981f8dd367800e7f4b930c908385e1

  • SHA512

    509812802fa553cc4f6dd928edff4f80aa0736d24438dee442d46dc4e7696d661d8b36b2443d99decf116656123a73805d972909d6ea203cdb0e3a61a0e4397b

  • SSDEEP

    24576:8oIJ2hiLk4IIriDJznPCQ2T1t0nmH1CZxe5qd8q44Ae8B++6t4DIafxAhQFIoBKS:vIJ2hiLf+NDKpT1t0wDZzeUb6teFY

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes
  • install_dir

    0e8d0864aa

  • install_file

    svoutse.exe

  • strings_key

    5481b88a6ef75bcf21333988a4e47048

  • url_paths

    /Dem7kTu/index.php

rc4.plain

Targets

    • Target

      7554fab3381263ee14feeff91baff6c8fe981f8dd367800e7f4b930c908385e1

    • Size

      1.8MB

    • MD5

      64a326e2e14c182ad069076d4efd6848

    • SHA1

      fcdd7a09df0a30c611ed4e3ffc338839c089d92e

    • SHA256

      7554fab3381263ee14feeff91baff6c8fe981f8dd367800e7f4b930c908385e1

    • SHA512

      509812802fa553cc4f6dd928edff4f80aa0736d24438dee442d46dc4e7696d661d8b36b2443d99decf116656123a73805d972909d6ea203cdb0e3a61a0e4397b

    • SSDEEP

      24576:8oIJ2hiLk4IIriDJznPCQ2T1t0nmH1CZxe5qd8q44Ae8B++6t4DIafxAhQFIoBKS:vIJ2hiLf+NDKpT1t0wDZzeUb6teFY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks