amadey

Sharing

Copy URL

Twitter E-mail

General

Target

1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c_NeikiAnalytics.exe
Size

1.9MB
Sample

240630-17yl9a1anq
MD5

fd33c5a6ec043a22780094069ecd4f90
SHA1

2716ddb4df3dbe2c859b5e1dd1b29d1ff7583012
SHA256

1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c
SHA512

5544cfe5f7b6ab87c5b5141834d251d0b78993e9b25aa3a8d709cb85192cd9af4c30e23ea46df362b1855e01eb0b06761a66b6a9c2af168ec13ecd0bdf1f40a0
SSDEEP

49152:zMeVDM2T+DYFlJN6q4CpQYE5AS5lEABphy:4e+xMMBCplEyS56G

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Targets

- Target
  
  1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c_NeikiAnalytics.exe
- Size
  
  1.9MB
- MD5
  
  fd33c5a6ec043a22780094069ecd4f90
- SHA1
  
  2716ddb4df3dbe2c859b5e1dd1b29d1ff7583012
- SHA256
  
  1e69e4d306ec24d60a4d1714126c5a93d6e960e47c779e74c6f2ee0de411c56c
- SHA512
  
  5544cfe5f7b6ab87c5b5141834d251d0b78993e9b25aa3a8d709cb85192cd9af4c30e23ea46df362b1855e01eb0b06761a66b6a9c2af168ec13ecd0bdf1f40a0
- SSDEEP
  
  49152:zMeVDM2T+DYFlJN6q4CpQYE5AS5lEABphy:4e+xMMBCplEyS56G
Score

10^/10

amadey 0e6740 evasion trojan stealc 4dd39d default stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2