General

  • Target

    16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

  • Size

    245KB

  • Sample

    221124-x43j9aha3v

  • MD5

    3a09a713b206226caf0bf7e6d28ea115

  • SHA1

    c68ae0c28f6715379f9b59b644b4d040bb7320ce

  • SHA256

    16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

  • SHA512

    a212956bab3806d1d6086f0a3e9a4a5abb12f1c6ec0fa83f381222a3743d1745291d61ebbdaad8d2d0cfff886a375312b970ee4ec2dcf0aefc3ad792ae702bfa

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Targets

    • Target

      16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

    • Size

      245KB

    • MD5

      3a09a713b206226caf0bf7e6d28ea115

    • SHA1

      c68ae0c28f6715379f9b59b644b4d040bb7320ce

    • SHA256

      16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

    • SHA512

      a212956bab3806d1d6086f0a3e9a4a5abb12f1c6ec0fa83f381222a3743d1745291d61ebbdaad8d2d0cfff886a375312b970ee4ec2dcf0aefc3ad792ae702bfa

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation