General
-
Target
91e186c17751b8b47fb0697208e44ddb45ddf88d64d90d94209dc6dcb1107b5bN.exe
-
Size
1.8MB
-
Sample
250104-yvfjssvnas
-
MD5
18053a51a28d8ee4c57c483d8768db80
-
SHA1
4a2bd73285c64cd3996338b2574d4700c8cd1b21
-
SHA256
91e186c17751b8b47fb0697208e44ddb45ddf88d64d90d94209dc6dcb1107b5b
-
SHA512
30f226a3bc54306159376372382051c4f06c98cb6f06096ea8c7805f13257c32ca721f9f29523db94a9affbab5851283b050bc18212900b4983774e7e8a9b048
-
SSDEEP
49152:tmV7CcMK8zKOenIzuP9eyz/x3Pept1cku:kEcMK8e/Iq1eS/x/4t1Lu
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Targets
-
-
Target
91e186c17751b8b47fb0697208e44ddb45ddf88d64d90d94209dc6dcb1107b5bN.exe
-
Size
1.8MB
-
MD5
18053a51a28d8ee4c57c483d8768db80
-
SHA1
4a2bd73285c64cd3996338b2574d4700c8cd1b21
-
SHA256
91e186c17751b8b47fb0697208e44ddb45ddf88d64d90d94209dc6dcb1107b5b
-
SHA512
30f226a3bc54306159376372382051c4f06c98cb6f06096ea8c7805f13257c32ca721f9f29523db94a9affbab5851283b050bc18212900b4983774e7e8a9b048
-
SSDEEP
49152:tmV7CcMK8zKOenIzuP9eyz/x3Pept1cku:kEcMK8e/Iq1eS/x/4t1Lu
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-