amadey

Sharing

Copy URL

Twitter E-mail

General

Target

eb90c32e2fcc3d5b5a33dddbec55eb02b09c0f0fb08e9bfc29a529685ebe20fb
Size

1.8MB
Sample

240630-nzqkfsxdka
MD5

42b633eac3a7415b01516bc14ad42310
SHA1

2b6d8f886a59b5b29d3df7d8fe1d1924325cefcf
SHA256

eb90c32e2fcc3d5b5a33dddbec55eb02b09c0f0fb08e9bfc29a529685ebe20fb
SHA512

25f492072d57dbd49ed2a211f53d0f5794d6056a633d8b568f1d88f734bbbd831c3791494c7c734c0e55ff253437edda842d922c13a9fc959b65b8804358a224
SSDEEP

49152:moKpJrja5ijpX60ZuEbllo05whwqt2Tf:NKpJniupK0xbXVuwbT

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Targets

- Target
  
  eb90c32e2fcc3d5b5a33dddbec55eb02b09c0f0fb08e9bfc29a529685ebe20fb
- Size
  
  1.8MB
- MD5
  
  42b633eac3a7415b01516bc14ad42310
- SHA1
  
  2b6d8f886a59b5b29d3df7d8fe1d1924325cefcf
- SHA256
  
  eb90c32e2fcc3d5b5a33dddbec55eb02b09c0f0fb08e9bfc29a529685ebe20fb
- SHA512
  
  25f492072d57dbd49ed2a211f53d0f5794d6056a633d8b568f1d88f734bbbd831c3791494c7c734c0e55ff253437edda842d922c13a9fc959b65b8804358a224
- SSDEEP
  
  49152:moKpJrja5ijpX60ZuEbllo05whwqt2Tf:NKpJniupK0xbXVuwbT
Score

10^/10

amadey stealc 4dd39d default evasion stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2