General

  • Target

    file.exe

  • Size

    322KB

  • Sample

    221208-pl7ggsch71

  • MD5

    604763f5a52df56b4f2dcd2d3529be76

  • SHA1

    f923423d231a7db45a18c35a98c990c35b337e1c

  • SHA256

    2312780f7e750b3aeb3c92d8404d002c29e8b5e63136a91d218a7130fe08ace3

  • SHA512

    7d5cb160847c1454789e75f22c81489ede8d551416dbf77512662be1220a46010df03a466e38172fb598be23911f24e846ed24ca72c45d2e8332242674e958d3

  • SSDEEP

    6144:Lw9zuGtIU0MjK2rpzU7CTb9y3VW+iLxm:Lw9zuGFfKyNwCT5y3V6

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Targets

    • Target

      file.exe

    • Size

      322KB

    • MD5

      604763f5a52df56b4f2dcd2d3529be76

    • SHA1

      f923423d231a7db45a18c35a98c990c35b337e1c

    • SHA256

      2312780f7e750b3aeb3c92d8404d002c29e8b5e63136a91d218a7130fe08ace3

    • SHA512

      7d5cb160847c1454789e75f22c81489ede8d551416dbf77512662be1220a46010df03a466e38172fb598be23911f24e846ed24ca72c45d2e8332242674e958d3

    • SSDEEP

      6144:Lw9zuGtIU0MjK2rpzU7CTb9y3VW+iLxm:Lw9zuGFfKyNwCT5y3V6

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks