Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3ca83f296b847c27c4c15049d562ad4ef34258d299b564253bab014944c8b52f

  • Size

    421KB

  • Sample

    221207-alfansbf8s

  • MD5

    b5d63107702a8f092b0d51e31e438697

  • SHA1

    5bb8bebe518d5af0a8bb049c213bff9825511605

  • SHA256

    3ca83f296b847c27c4c15049d562ad4ef34258d299b564253bab014944c8b52f

  • SHA512

    5d5d0c0c2e34a6c8722a3d21e78eff724b3ec92d0ccd974345ed4127331d9dce8cbd2a2ad94a1c085f20783c474de686c70b91b485d2fdc2b68279eeac108d28

  • SSDEEP

    6144:0dNaLxM3bQFMln0O2hpavxql/zYeuEhOnwM+qWcoBlCDyj5aVe:0SFM3bQFM5z27ScdzzuEhOnJycWCI3

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Targets

    • Target

      3ca83f296b847c27c4c15049d562ad4ef34258d299b564253bab014944c8b52f

    • Size

      421KB

    • MD5

      b5d63107702a8f092b0d51e31e438697

    • SHA1

      5bb8bebe518d5af0a8bb049c213bff9825511605

    • SHA256

      3ca83f296b847c27c4c15049d562ad4ef34258d299b564253bab014944c8b52f

    • SHA512

      5d5d0c0c2e34a6c8722a3d21e78eff724b3ec92d0ccd974345ed4127331d9dce8cbd2a2ad94a1c085f20783c474de686c70b91b485d2fdc2b68279eeac108d28

    • SSDEEP

      6144:0dNaLxM3bQFMln0O2hpavxql/zYeuEhOnwM+qWcoBlCDyj5aVe:0SFM3bQFM5z27ScdzzuEhOnJycWCI3

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks