General

  • Target

    b149115ede40e48ff726687ec09eaf07d3c182792a72fdde5176fe2173eb5f57

  • Size

    244KB

  • Sample

    221123-j11plabf9w

  • MD5

    41e1491b70e8968f36d98ca897bbf71f

  • SHA1

    1784c1961afc5a1e50526a6e8ffb296a1cd69a19

  • SHA256

    b149115ede40e48ff726687ec09eaf07d3c182792a72fdde5176fe2173eb5f57

  • SHA512

    4f2f00aff474657cdb4cc0cee210de810253ecf4adc1d8d00676029f238140f4bc2e10248128d7fd7058c62c8d2ad2843b14dbfd5a20d7e9dca44e173e38a69f

  • SSDEEP

    3072:lBkA2Ve2jYxLQ3vW8XD5CGO5jfhKznC1TKr9jaIjxOobZV1dYbn:YAkaLQ3vPPO5jfcT2mpjROotV1dYb

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Targets

    • Target

      b149115ede40e48ff726687ec09eaf07d3c182792a72fdde5176fe2173eb5f57

    • Size

      244KB

    • MD5

      41e1491b70e8968f36d98ca897bbf71f

    • SHA1

      1784c1961afc5a1e50526a6e8ffb296a1cd69a19

    • SHA256

      b149115ede40e48ff726687ec09eaf07d3c182792a72fdde5176fe2173eb5f57

    • SHA512

      4f2f00aff474657cdb4cc0cee210de810253ecf4adc1d8d00676029f238140f4bc2e10248128d7fd7058c62c8d2ad2843b14dbfd5a20d7e9dca44e173e38a69f

    • SSDEEP

      3072:lBkA2Ve2jYxLQ3vW8XD5CGO5jfhKznC1TKr9jaIjxOobZV1dYbn:YAkaLQ3vPPO5jfcT2mpjROotV1dYb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks