General

  • Target

    cb7b96947bea3a57e3a7ec70c71729b1ca601425746cad1813a80aab31121108

  • Size

    1.8MB

  • Sample

    250128-kadb2ssqfz

  • MD5

    a3907087147ec50631d8e9832162a144

  • SHA1

    651dc5bc10898dfd9fbf6ac3acb7cbc90d241160

  • SHA256

    cb7b96947bea3a57e3a7ec70c71729b1ca601425746cad1813a80aab31121108

  • SHA512

    b630668ad4cf25968a02891fb6431c47329323ab3d69426354a85cc7c06e92d22dfc207d782f35babbf7fb75d603d9cd506a04621cf17519f47060b6cca1acb3

  • SSDEEP

    49152:qPmPCwc2aT5RcD2YkCYw7D+nrW09IvT2cyp0UB:CQRL7D+rW0+v+JB

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Targets

    • Target

      cb7b96947bea3a57e3a7ec70c71729b1ca601425746cad1813a80aab31121108

    • Size

      1.8MB

    • MD5

      a3907087147ec50631d8e9832162a144

    • SHA1

      651dc5bc10898dfd9fbf6ac3acb7cbc90d241160

    • SHA256

      cb7b96947bea3a57e3a7ec70c71729b1ca601425746cad1813a80aab31121108

    • SHA512

      b630668ad4cf25968a02891fb6431c47329323ab3d69426354a85cc7c06e92d22dfc207d782f35babbf7fb75d603d9cd506a04621cf17519f47060b6cca1acb3

    • SSDEEP

      49152:qPmPCwc2aT5RcD2YkCYw7D+nrW09IvT2cyp0UB:CQRL7D+rW0+v+JB

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.