Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe

  • Size

    367KB

  • Sample

    221216-v187hshh8w

  • MD5

    17988a22cb3105fae2488f11a38e55e7

  • SHA1

    ded099d65110a6be60931ae3e46d14c24ef562e6

  • SHA256

    952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4

  • SHA512

    0bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56

  • SSDEEP

    6144:JYCnsLtk6+k4guyzJGRRpppzgLno2VMzrPrTvt0l0iPvzpQ6ijLxQFiaI:FsBkDtOFKpdgLoBPfv+lxnzpQ6ijqF

Malware Config

Extracted

Family

amadey

Version

3.60

C2

62.204.41.79/fb73jc3/index.php

Targets

    • Target

      952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4.exe

    • Size

      367KB

    • MD5

      17988a22cb3105fae2488f11a38e55e7

    • SHA1

      ded099d65110a6be60931ae3e46d14c24ef562e6

    • SHA256

      952516f9329a78c22dd4616690e1da1d468876a5a5d7410bf3b087d2bd65eec4

    • SHA512

      0bceec8403c66a7417d9a837e3531c070ccf22f6473845dcd1ba877a26f6469f4dafdfb185e1462165171f476b3b20d2b596c6d676e93ccbf9394e00d3603a56

    • SSDEEP

      6144:JYCnsLtk6+k4guyzJGRRpppzgLno2VMzrPrTvt0l0iPvzpQ6ijLxQFiaI:FsBkDtOFKpdgLoBPfv+lxnzpQ6ijqF

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v6

Tasks