amadey

Sharing

Copy URL

Twitter E-mail

General

Target

ccf2d36f20f564d567bfbd238b6fbe47d86b65a096a41ae0ee4a9673003d2f04
Size

1.8MB
Sample

240701-x8enzsyhjr
MD5

7076a0272638693862f34c58198fb9b3
SHA1

ab40554e0f92b8bc3888b5be69deabd93f16e563
SHA256

ccf2d36f20f564d567bfbd238b6fbe47d86b65a096a41ae0ee4a9673003d2f04
SHA512

1a0f2c12439742187ee803675ac0195398e2e386a41265718f8fe31b220d90b23aa49a717bede994103c17e100f2e674f9ebc9f8181fb4ef4b81cb5bc7edd56b
SSDEEP

49152:DzmTXZhMBSAXTGF4kbfFOunSKPmQBUUADV:DIZGGi3VFwUUA

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Targets

- Target
  
  ccf2d36f20f564d567bfbd238b6fbe47d86b65a096a41ae0ee4a9673003d2f04
- Size
  
  1.8MB
- MD5
  
  7076a0272638693862f34c58198fb9b3
- SHA1
  
  ab40554e0f92b8bc3888b5be69deabd93f16e563
- SHA256
  
  ccf2d36f20f564d567bfbd238b6fbe47d86b65a096a41ae0ee4a9673003d2f04
- SHA512
  
  1a0f2c12439742187ee803675ac0195398e2e386a41265718f8fe31b220d90b23aa49a717bede994103c17e100f2e674f9ebc9f8181fb4ef4b81cb5bc7edd56b
- SSDEEP
  
  49152:DzmTXZhMBSAXTGF4kbfFOunSKPmQBUUADV:DIZGGi3VFwUUA
Score

10^/10

amadey stealc 4dd39d default evasion stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2