General
-
Target
b41556e99148464d98e7aaeb6dce4c0995dc5f549d436e09b0000c26273de141
-
Size
187KB
-
Sample
221124-zwp1ashh29
-
MD5
dd500be598d1db9eab28b3052a71039f
-
SHA1
e01aabb8620a7d2ccc648ef84cdd37a57cc4d919
-
SHA256
b41556e99148464d98e7aaeb6dce4c0995dc5f549d436e09b0000c26273de141
-
SHA512
01f6adfa566859dae85fcf2da1a3ee36289416384fe916d54328666f771ba1cd833fbdfa9dd4cc8abeba98962b898773e1a5c526cf9d0445f9df83cbfed615ae
-
SSDEEP
3072:x8sYrItgCeqGtktLaG3P+7QM5FUFC1T/xr7I2+ECxtMV8K:qrn4Law80yT/pEwCxtTK
Malware Config
Extracted
amadey
3.50
77.73.134.65/o7VsjdSa2f/index.php
Targets
-
-
Target
b41556e99148464d98e7aaeb6dce4c0995dc5f549d436e09b0000c26273de141
-
Size
187KB
-
MD5
dd500be598d1db9eab28b3052a71039f
-
SHA1
e01aabb8620a7d2ccc648ef84cdd37a57cc4d919
-
SHA256
b41556e99148464d98e7aaeb6dce4c0995dc5f549d436e09b0000c26273de141
-
SHA512
01f6adfa566859dae85fcf2da1a3ee36289416384fe916d54328666f771ba1cd833fbdfa9dd4cc8abeba98962b898773e1a5c526cf9d0445f9df83cbfed615ae
-
SSDEEP
3072:x8sYrItgCeqGtktLaG3P+7QM5FUFC1T/xr7I2+ECxtMV8K:qrn4Law80yT/pEwCxtTK
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module
-
Detects Smokeloader packer
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-