Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    431fab789f65114a9a625770d72850191832de05b4f6368ffb2cf877a02b9411

  • Size

    300KB

  • Sample

    221229-ccbl8scb56

  • MD5

    b6b503be7216e3fc3c685b8b222f60e5

  • SHA1

    b12fe336e09bf6a8173400ecb7c1108cf96f72fc

  • SHA256

    431fab789f65114a9a625770d72850191832de05b4f6368ffb2cf877a02b9411

  • SHA512

    108d5861a1e53f96a92816e1ea587896b89626b338ea142e59884e8ed639eaf6dc794fd3e0e7496c1fb61b993191c430090a62a96560a16f78e672fc4b2a6925

  • SSDEEP

    6144:2LRUK/nt7ky+yE/xYtIznPtwTGYNciDtmmUXT:2FUK/ntr+y2tPOGiciDtmtT

Malware Config

Extracted

Family

amadey

Version

3.63

C2

62.204.41.17/8bdSvcD/index.php

Targets

    • Target

      431fab789f65114a9a625770d72850191832de05b4f6368ffb2cf877a02b9411

    • Size

      300KB

    • MD5

      b6b503be7216e3fc3c685b8b222f60e5

    • SHA1

      b12fe336e09bf6a8173400ecb7c1108cf96f72fc

    • SHA256

      431fab789f65114a9a625770d72850191832de05b4f6368ffb2cf877a02b9411

    • SHA512

      108d5861a1e53f96a92816e1ea587896b89626b338ea142e59884e8ed639eaf6dc794fd3e0e7496c1fb61b993191c430090a62a96560a16f78e672fc4b2a6925

    • SSDEEP

      6144:2LRUK/nt7ky+yE/xYtIznPtwTGYNciDtmmUXT:2FUK/ntr+y2tPOGiciDtmtT

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks