amadey | c5193831b8213553f51767e00d377b0ac83dc51811a3d17bdc207599900a8a16 | Triage

Submit
Reports

Overview

overview

Static

static

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file
Size

206KB
Sample

221126-1j2zrsba8s
MD5

0799af8b2a64ae893d55e783cabc046c
SHA1

a85db9123e672d31f6200988f51fbc03b353725a
SHA256

c5193831b8213553f51767e00d377b0ac83dc51811a3d17bdc207599900a8a16
SHA512

32054f92ac432c18ba69e51c2e9a770abdae4944cd2bdbaa48f19b79849b09fe8faf6ea88a999c63e8dff9a0cc390022cb2d0d4d9b71a7818fc11049d012fa10
SSDEEP

3072:M7N9Ix/tp8aia5NjgG6AGulANKzq83Noyg0WDe9eXRr4o9KmWm7li:49ub8a7nUoldoyP6Dhr4CKmWAA

Score

10^/10

amadey collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20220812-en

amadey collection spyware stealer trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20220812-en

amadey collection spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.17/hfk3vK9/index.php

Targets

- Target
  
  file
- Size
  
  206KB
- MD5
  
  0799af8b2a64ae893d55e783cabc046c
- SHA1
  
  a85db9123e672d31f6200988f51fbc03b353725a
- SHA256
  
  c5193831b8213553f51767e00d377b0ac83dc51811a3d17bdc207599900a8a16
- SHA512
  
  32054f92ac432c18ba69e51c2e9a770abdae4944cd2bdbaa48f19b79849b09fe8faf6ea88a999c63e8dff9a0cc390022cb2d0d4d9b71a7818fc11049d012fa10
- SSDEEP
  
  3072:M7N9Ix/tp8aia5NjgG6AGulANKzq83Noyg0WDe9eXRr4o9KmWm7li:49ub8a7nUoldoyP6Dhr4CKmWAA
Score

10^/10

amadey collection spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeycollectionspywarestealertrojan

behavioral2

amadeycollectionspywarestealertrojan

© 2018-2024

Terms | Privacy