amadey | 884ffb6ae8083046b1e1297b300ba6b80ab09581f9efff4c185fbd0c3cc9d1f5 | Triage

Submit
Reports

Overview

overview

Static

static

a0ba61cdc1...65.exe

windows7-x64

a0ba61cdc1...65.exe

windows10-2004-x64

Sharing

General

Target

a0ba61cdc118189e5417f6696c4896e7070e78cd4f4e4599068916cd9084dc65
Size

184KB
Sample

221123-xekm5seg47
MD5

f44287f7603e1eb1007e6a7c3ac41ef9
SHA1

88216da836a1ca42ef5100fdf54f06fbc4bf1c16
SHA256

884ffb6ae8083046b1e1297b300ba6b80ab09581f9efff4c185fbd0c3cc9d1f5
SHA512

298d95a123905672aac8e590557760f1f273fafc0abd4062926a0bb834daf063bf254fb5a0a29836af25242163dbdca941b95d6ff8fc86c2b519a0371ae9e237
SSDEEP

3072:IiKtZA9deGSPKHshSMUDTAYYGcY/M0n1DsdB7ShaHlx9JowEALkxkn:IZAn8CUSMaAnh01oxFthEk

Score

10^/10

amadey collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

a0ba61cdc118189e5417f6696c4896e7070e78cd4f4e4599068916cd9084dc65.exe

Resource

win7-20221111-en

amadey collection spyware stealer trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

a0ba61cdc118189e5417f6696c4896e7070e78cd4f4e4599068916cd9084dc65.exe

Resource

win10v2004-20220812-en

amadey collection spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Targets

- Target
  
  a0ba61cdc118189e5417f6696c4896e7070e78cd4f4e4599068916cd9084dc65
- Size
  
  244KB
- MD5
  
  b167de50d4f69ca5132bf2ab8a627451
- SHA1
  
  7be661df0a1daea1026e19f278a5e001bda4ff63
- SHA256
  
  a0ba61cdc118189e5417f6696c4896e7070e78cd4f4e4599068916cd9084dc65
- SHA512
  
  df243f49f9b1c42a6cd7e29eff55d8a28176ecc6e8ee3833da48e8eb35a5fd4ce420e394bc797f16c3172ca4aa88e5ed76ae42bd6d0cb07ffb545c8ba25b4099
- SSDEEP
  
  3072:WDA1BBEyyiLknwWXBGo5Uxyfdncbn1DsdBDShaHlx9JWwEApQS:0AuuLknwi88m71GxFtnEE
Score

10^/10

amadey collection spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeycollectionspywarestealertrojan

behavioral2

amadeycollectionspywarestealertrojan

© 2018-2024

Terms | Privacy