General
-
Target
78b182ad6c2d0d831b28253bf82165c387179c39ee30b0d04b1ec3fce3a7fc32N.exe
-
Size
3.1MB
-
Sample
250108-zlm3ysvpgr
-
MD5
0b387c671a4452b3d97724b8ac2826a0
-
SHA1
53a7ed9dbbaed953223c4a5d3c64a983d20db551
-
SHA256
78b182ad6c2d0d831b28253bf82165c387179c39ee30b0d04b1ec3fce3a7fc32
-
SHA512
33d720d66b99f8252ca5125315fa917295bda5f83a8036b6e7ca38c49b286d133e1153c1a2053e1f7bcede36ad3d2e5f6eb020370d45df52cc6073ecacba2b3b
-
SSDEEP
49152:rbHhXMApga2NBYcxJ2Lt7o2cgEgpZZ5FdkWHU52tHz8UOA/j9kdIu+9:vHhX9px2NBY5p7YgEg/bFpHc2Bz8UBj
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Targets
-
-
Target
78b182ad6c2d0d831b28253bf82165c387179c39ee30b0d04b1ec3fce3a7fc32N.exe
-
Size
3.1MB
-
MD5
0b387c671a4452b3d97724b8ac2826a0
-
SHA1
53a7ed9dbbaed953223c4a5d3c64a983d20db551
-
SHA256
78b182ad6c2d0d831b28253bf82165c387179c39ee30b0d04b1ec3fce3a7fc32
-
SHA512
33d720d66b99f8252ca5125315fa917295bda5f83a8036b6e7ca38c49b286d133e1153c1a2053e1f7bcede36ad3d2e5f6eb020370d45df52cc6073ecacba2b3b
-
SSDEEP
49152:rbHhXMApga2NBYcxJ2Lt7o2cgEgpZZ5FdkWHU52tHz8UOA/j9kdIu+9:vHhX9px2NBY5p7YgEg/bFpHc2Bz8UBj
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-