amadey | 6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228 | Triage

Submit
Reports

Overview

overview

Static

static

3

6e6f568e5b...28.exe

windows7-x64

6e6f568e5b...28.exe

windows10-2004-x64

Sharing

General

Target

6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228
Size

1.8MB
Sample

241226-lxzn8ssme1
MD5

cb24e0b15b1f8693ec6aec0d5d4c6b4c
SHA1

c1a31fe1cae37ad31a0f6bf5cac159aef3a54e2a
SHA256

6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228
SHA512

81d1eef2cc3c3584980da9f411e6970ccdc7ddc300a1d3469b7ba14c5a14a51da7e1971ea2c783665a8e7da401178a6c53a4dd62b0527133989b5d2605fe331d
SSDEEP

49152:XOzNPpmy+yFTEx+HN0K2YY+QxsxSdzP7GcA8:ezDm5yFIx+bA+wPi

Score

10^/10

amadey fed3aa discovery evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228.exe

Resource

win7-20240903-en

amadey fed3aa discovery evasion trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228.exe

Resource

win10v2004-20241007-en

amadey fed3aa discovery evasion trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

1
a091ec0a6e22276a96a99c1d34ef679c

Targets

- Target
  
  6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228
- Size
  
  1.8MB
- MD5
  
  cb24e0b15b1f8693ec6aec0d5d4c6b4c
- SHA1
  
  c1a31fe1cae37ad31a0f6bf5cac159aef3a54e2a
- SHA256
  
  6e6f568e5b40630cf58b89ae905624e7e653f77569afd87192d4a3a9588b9228
- SHA512
  
  81d1eef2cc3c3584980da9f411e6970ccdc7ddc300a1d3469b7ba14c5a14a51da7e1971ea2c783665a8e7da401178a6c53a4dd62b0527133989b5d2605fe331d
- SSDEEP
  
  49152:XOzNPpmy+yFTEx+HN0K2YY+QxsxSdzP7GcA8:ezDm5yFIx+bA+wPi
Score

10^/10

amadey fed3aa discovery evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyfed3aadiscoveryevasiontrojan

behavioral2

amadeyfed3aadiscoveryevasiontrojan

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.