General
-
Target
7c23c3236a2ae19ce71efe8528e176a8b3f67eedd9837956357854503d80c0f0
-
Size
372KB
-
Sample
221118-t1a42sdg5s
-
MD5
8d835a756acae603491293c09457dea6
-
SHA1
0a335e464b300744143450577d9fdd8829835fb4
-
SHA256
7c23c3236a2ae19ce71efe8528e176a8b3f67eedd9837956357854503d80c0f0
-
SHA512
78ad7956f87a6ddb9166a3942ee2b74a4d61abb741639b648fb742da83bab1f12e58e0a38352c8199a0f10b939d79430a73ebe76c41895332c7565e7f681f606
-
SSDEEP
6144:i8pyzqeh6dwmp/c0McM6MagOUrKgL8CCh+3oQ9gOU+fzYBb6:xyueWwT0mdRKgwA9gT6
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Targets
-
-
Target
7c23c3236a2ae19ce71efe8528e176a8b3f67eedd9837956357854503d80c0f0
-
Size
372KB
-
MD5
8d835a756acae603491293c09457dea6
-
SHA1
0a335e464b300744143450577d9fdd8829835fb4
-
SHA256
7c23c3236a2ae19ce71efe8528e176a8b3f67eedd9837956357854503d80c0f0
-
SHA512
78ad7956f87a6ddb9166a3942ee2b74a4d61abb741639b648fb742da83bab1f12e58e0a38352c8199a0f10b939d79430a73ebe76c41895332c7565e7f681f606
-
SSDEEP
6144:i8pyzqeh6dwmp/c0McM6MagOUrKgL8CCh+3oQ9gOU+fzYBb6:xyueWwT0mdRKgwA9gT6
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-