amadey | 2819c3b7702c72f7ef5bd6e66d951ffa7b2495c3d843fc2cdc755ecdb2f6f168 | Triage

Sharing

General

Target

2819c3b7702c72f7ef5bd6e66d951ffa7b2495c3d843fc2cdc755ecdb2f6f168
Size

3.1MB
Sample

241229-k65feaxrg1
MD5

1d63d4556d5db011edaa89ebe42bcb5c
SHA1

5e0d724d17b637ccedc3a3bfe3e6f5ee6653f2d5
SHA256

2819c3b7702c72f7ef5bd6e66d951ffa7b2495c3d843fc2cdc755ecdb2f6f168
SHA512

ea4cb025d8d35fdf094f2a6d4ede162f897051b9156fb5e0c1ea03eb781245c4a48f30b09dade085973e59a172ca0320516b9c8ba592bad5e2f72418bd659594
SSDEEP

49152:lz+GHnAGTVUqSE40cYV0DvGa5tLcB1W7ANJscNuK2hOhAq:cGHnZVUqSE4XYV07GaTLkzhNuvhE

Score

10^/10

amadey 9c9aa5 discovery evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Targets

- Target
  
  2819c3b7702c72f7ef5bd6e66d951ffa7b2495c3d843fc2cdc755ecdb2f6f168
- Size
  
  3.1MB
- MD5
  
  1d63d4556d5db011edaa89ebe42bcb5c
- SHA1
  
  5e0d724d17b637ccedc3a3bfe3e6f5ee6653f2d5
- SHA256
  
  2819c3b7702c72f7ef5bd6e66d951ffa7b2495c3d843fc2cdc755ecdb2f6f168
- SHA512
  
  ea4cb025d8d35fdf094f2a6d4ede162f897051b9156fb5e0c1ea03eb781245c4a48f30b09dade085973e59a172ca0320516b9c8ba592bad5e2f72418bd659594
- SSDEEP
  
  49152:lz+GHnAGTVUqSE40cYV0DvGa5tLcB1W7ANJscNuK2hOhAq:cGHnZVUqSE4XYV07GaTLkzhNuvhE
Score

10^/10

amadey 9c9aa5 discovery evasion trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadey9c9aa5discoveryevasiontrojan

behavioral2

amadey9c9aa5discoveryevasiontrojan