amadey | 0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac | Triage

Submit
Reports

Overview

overview

Static

static

3

0a6b10a377...ac.exe

windows7-x64

0a6b10a377...ac.exe

windows10-2004-x64

Sharing

General

Target

0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac
Size

1.9MB
Sample

250129-swrqka1pbt
MD5

d55f06a6b8fbfcedee49c313d99e7f0a
SHA1

6643c2803421d3167ed197b5ea66f8b5cd71081a
SHA256

0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac
SHA512

5a61fe982ff9cd4cb58371b5ef27535d95e9ef5c56a545b85dae2f88fa74a9c0bfa037a8962ea17b1be756a3e736a69439df995a7d0fcb4328b7626b6117d886
SSDEEP

49152:zf3Kw1FbKBrvFgOAyyHD6iOJVybQBRiKY4x:DgrNgOA3/oVysGK

Score

10^/10

amadey fed3aa defense_evasion discovery trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac.exe

Resource

win7-20241010-en

amadey fed3aa defense_evasion discovery trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac.exe

Resource

win10v2004-20250129-en

amadey fed3aa defense_evasion discovery trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Targets

- Target
  
  0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac
- Size
  
  1.9MB
- MD5
  
  d55f06a6b8fbfcedee49c313d99e7f0a
- SHA1
  
  6643c2803421d3167ed197b5ea66f8b5cd71081a
- SHA256
  
  0a6b10a3771e967a98891bdf1eb291a2614da3ee8f55c1cf8a489a94844074ac
- SHA512
  
  5a61fe982ff9cd4cb58371b5ef27535d95e9ef5c56a545b85dae2f88fa74a9c0bfa037a8962ea17b1be756a3e736a69439df995a7d0fcb4328b7626b6117d886
- SSDEEP
  
  49152:zf3Kw1FbKBrvFgOAyyHD6iOJVybQBRiKY4x:DgrNgOA3/oVysGK
Score

10^/10

amadey fed3aa defense_evasion discovery trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyfed3aadefense_evasiondiscoverytrojan

behavioral2

amadeyfed3aadefense_evasiondiscoverytrojan

© 2018-2025

Terms | Privacy