General

  • Target

    e58a84a6bab73181723f3df7a8f931785acfa2e7134f45f95afa5e0be81dd1ea.exe

  • Size

    28.0MB

  • Sample

    220517-yh3hssgfe4

  • MD5

    05b666fa594fabf1f40b331f75609091

  • SHA1

    9ea91b4d0e830bedaa11bcb3835c415527035692

  • SHA256

    e58a84a6bab73181723f3df7a8f931785acfa2e7134f45f95afa5e0be81dd1ea

  • SHA512

    e3bb4a1833759acd5987c72954df220a3c49e9671412d28ff29a0397cf881aabab9c23e1689fe6bc94d8831287c082b4b94668653d9751abd3235f3fa7c410f7

Malware Config

Extracted

Family

amadey

Version

3.07

C2

89.163.249.231/panel/index.php

Targets

    • Target

      e58a84a6bab73181723f3df7a8f931785acfa2e7134f45f95afa5e0be81dd1ea.exe

    • Size

      28.0MB

    • MD5

      05b666fa594fabf1f40b331f75609091

    • SHA1

      9ea91b4d0e830bedaa11bcb3835c415527035692

    • SHA256

      e58a84a6bab73181723f3df7a8f931785acfa2e7134f45f95afa5e0be81dd1ea

    • SHA512

      e3bb4a1833759acd5987c72954df220a3c49e9671412d28ff29a0397cf881aabab9c23e1689fe6bc94d8831287c082b4b94668653d9751abd3235f3fa7c410f7

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks