amadey | 2a3355707c74c39d0765ed0f7ca7e04b03e021b59b97ce0cb4217f563c7ad7a9 | Triage

Sharing

General

Target

2a3355707c74c39d0765ed0f7ca7e04b03e021b59b97ce0cb4217f563c7ad7a9
Size

3.1MB
Sample

241227-eq5tca1pev
MD5

4443a54c552fb90a8aad1d236efbfd7a
SHA1

9836460ba3a44f3c531319d8a0682d6c29d69e2a
SHA256

2a3355707c74c39d0765ed0f7ca7e04b03e021b59b97ce0cb4217f563c7ad7a9
SHA512

2c35c706b79c85bffa5e8a1249c0efa42b55bd6e5cb09dc24789669c8ff5b2bdcf477485458b5ee2fac25b2578760ec87ec1d6ac9c9aff80623626305c4331ed
SSDEEP

24576:H+4KYvgw4/PwE8FQluDTHcg8D00aHb5ALuMJ2yKRPGTZR+mJWo8ahBZoBlVZRAu+:howq9pl+OATns2yb8uOMYL4oKQ1mguX

Score

10^/10

amadey 9c9aa5 discovery evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Targets

- Target
  
  2a3355707c74c39d0765ed0f7ca7e04b03e021b59b97ce0cb4217f563c7ad7a9
- Size
  
  3.1MB
- MD5
  
  4443a54c552fb90a8aad1d236efbfd7a
- SHA1
  
  9836460ba3a44f3c531319d8a0682d6c29d69e2a
- SHA256
  
  2a3355707c74c39d0765ed0f7ca7e04b03e021b59b97ce0cb4217f563c7ad7a9
- SHA512
  
  2c35c706b79c85bffa5e8a1249c0efa42b55bd6e5cb09dc24789669c8ff5b2bdcf477485458b5ee2fac25b2578760ec87ec1d6ac9c9aff80623626305c4331ed
- SSDEEP
  
  24576:H+4KYvgw4/PwE8FQluDTHcg8D00aHb5ALuMJ2yKRPGTZR+mJWo8ahBZoBlVZRAu+:howq9pl+OATns2yb8uOMYL4oKQ1mguX
Score

10^/10

amadey 9c9aa5 discovery evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadey9c9aa5discoveryevasiontrojan

behavioral2

amadey9c9aa5discoveryevasiontrojan