Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5eb90b93f807ef1c6274c6a41fc4813f824a9870f782234258064bc67b67dcab

  • Size

    273KB

  • Sample

    221216-rs34rahf6s

  • MD5

    093eda0545a4314b5a947a980bbda4cc

  • SHA1

    20f4fd70cc9e3ff6e219d73b01aef4c6a45aa8dd

  • SHA256

    5eb90b93f807ef1c6274c6a41fc4813f824a9870f782234258064bc67b67dcab

  • SHA512

    0986ef336cec9dbff9297bcfd08ba05cb6289c9f427352ea6da1bae1ace676889b05341c9105a3bf408345c13ec8422de20a1470de9ee551d379dd4df842c636

  • SSDEEP

    6144:wdLM/4y7+JxJdHl7x/wAeumN/0hgzTb740M2b:wdanSxTRd9euu/0a7

Malware Config

Extracted

Family

amadey

Version

3.60

C2

62.204.41.79/fb73jc3/index.php

62.204.41.13/gjend7w/index.php

Targets

    • Target

      5eb90b93f807ef1c6274c6a41fc4813f824a9870f782234258064bc67b67dcab

    • Size

      273KB

    • MD5

      093eda0545a4314b5a947a980bbda4cc

    • SHA1

      20f4fd70cc9e3ff6e219d73b01aef4c6a45aa8dd

    • SHA256

      5eb90b93f807ef1c6274c6a41fc4813f824a9870f782234258064bc67b67dcab

    • SHA512

      0986ef336cec9dbff9297bcfd08ba05cb6289c9f427352ea6da1bae1ace676889b05341c9105a3bf408345c13ec8422de20a1470de9ee551d379dd4df842c636

    • SSDEEP

      6144:wdLM/4y7+JxJdHl7x/wAeumN/0hgzTb740M2b:wdanSxTRd9euu/0a7

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks