General

  • Target

    017fe2be76b891716b444e4b519e4585177bd04d3b173bde24c28d458631eb08

  • Size

    1.8MB

  • Sample

    241120-x5jhrs1rcw

  • MD5

    fcef19f8625006d98f0f55d5723b5298

  • SHA1

    4944a4b08c759e674cc37fdaedeea148ef758744

  • SHA256

    017fe2be76b891716b444e4b519e4585177bd04d3b173bde24c28d458631eb08

  • SHA512

    23af21f03a7a863baf5618be447297f06f35283f1d5e13fc9c8ee109bb6526cdedeaa16df559d9e42c909fa197aa67db7c64929be534f7246db94b27c7992d30

  • SSDEEP

    49152:5WFDSDNlEstMehfBwe/WHGZDPgVW0DW40fNQ2:PNqs+ejL/ZDY50z

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

4bee07

C2

http://185.215.113.209

Attributes
  • install_dir

    fc9e0aaab7

  • install_file

    defnur.exe

  • strings_key

    191655f008adc880f91bfc85bc56db54

  • url_paths

    /Fru7Nk9/index.php

rc4.plain

Targets

    • Target

      017fe2be76b891716b444e4b519e4585177bd04d3b173bde24c28d458631eb08

    • Size

      1.8MB

    • MD5

      fcef19f8625006d98f0f55d5723b5298

    • SHA1

      4944a4b08c759e674cc37fdaedeea148ef758744

    • SHA256

      017fe2be76b891716b444e4b519e4585177bd04d3b173bde24c28d458631eb08

    • SHA512

      23af21f03a7a863baf5618be447297f06f35283f1d5e13fc9c8ee109bb6526cdedeaa16df559d9e42c909fa197aa67db7c64929be534f7246db94b27c7992d30

    • SSDEEP

      49152:5WFDSDNlEstMehfBwe/WHGZDPgVW0DW40fNQ2:PNqs+ejL/ZDY50z

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks