amadey | e0a1337f0d535c179e155e034c9fa772c55001d47ae6caab14c16a63b806531c | Triage

Submit
Reports

Overview

overview

Static

static

8a75eb40f5...d1.exe

windows7-x64

8a75eb40f5...d1.exe

windows10-2004-x64

Sharing

General

Target

8a75eb40f565ba16ea141ad0473315253ac17c6368ce59506ff6532f219181d1
Size

163KB
Sample

221129-2ngeashe4t
MD5

a40ee335a13fa9076d2d970c142717d3
SHA1

ac7326d0da61b19b11be1a29a7fb830402e86f76
SHA256

e0a1337f0d535c179e155e034c9fa772c55001d47ae6caab14c16a63b806531c
SHA512

f73184c119d17c89ef3189c60f6be103f61b24e8971974c81e3678a12f9f61be3c4490703160dd053f1a2a8bf3697431ba5934bf0481e892d61bf6ba6ecaee99
SSDEEP

3072:MdpI6LWMmXf3/nkNIxzGTPdCasbPOP/KbXcz3qQPCRU:MAP3/nkNItBas7OHOS35AU

Score

10^/10

amadey collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

8a75eb40f565ba16ea141ad0473315253ac17c6368ce59506ff6532f219181d1.exe

Resource

win7-20220812-en

amadey collection spyware stealer trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

8a75eb40f565ba16ea141ad0473315253ac17c6368ce59506ff6532f219181d1.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.17/hfk3vK9/index.php

Targets

- Target
  
  8a75eb40f565ba16ea141ad0473315253ac17c6368ce59506ff6532f219181d1
- Size
  
  206KB
- MD5
  
  fa88feb7e83019914c5bc21121a3dca5
- SHA1
  
  d28d4f68b6d7d91063cae67f5cb950e0bf2bb085
- SHA256
  
  8a75eb40f565ba16ea141ad0473315253ac17c6368ce59506ff6532f219181d1
- SHA512
  
  d2925f553cd10be8e185d53fb7490467594d5552fc3ed3ad2eaf5fa9069dd95b3d2de34ce17dbc541c545a0d0aca694c1b31b9a3ac60ab60bc27f838504d7191
- SSDEEP
  
  3072:FQ2RgCKWIEFKWv5gv7kNIxzGTPBCasbPOP/9BD2sbgnjd5:nWCKWIEgD7kNItjaszOH9M7j
Score

10^/10

amadey collection spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

amadeycollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy