General

  • Target

    5e9752262225a2e8dce320cbbba12fc3db5cd0080462ad863d759501e4f376b3

  • Size

    558KB

  • Sample

    230206-1llessbc4v

  • MD5

    1f67d4165486a308bd9b0c2d23c66c53

  • SHA1

    b98993583736c18d8161926a2bd5b9600636d4e2

  • SHA256

    5e9752262225a2e8dce320cbbba12fc3db5cd0080462ad863d759501e4f376b3

  • SHA512

    e792ae73ad5f271faaa349a73bddadb7b1fb963d3b3a962bd4c84872e1c96ff35a0402614bc25137af0f1b858c0ca8d040ad36a547355d4aed82849e8e8a0cfe

  • SSDEEP

    12288:JMr/y90ebi0tjGq7sF+KMaTUmNRSxHUID5Sedfvr:Gy7bi0tmHTUmNRSx0bed3r

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Targets

    • Target

      5e9752262225a2e8dce320cbbba12fc3db5cd0080462ad863d759501e4f376b3

    • Size

      558KB

    • MD5

      1f67d4165486a308bd9b0c2d23c66c53

    • SHA1

      b98993583736c18d8161926a2bd5b9600636d4e2

    • SHA256

      5e9752262225a2e8dce320cbbba12fc3db5cd0080462ad863d759501e4f376b3

    • SHA512

      e792ae73ad5f271faaa349a73bddadb7b1fb963d3b3a962bd4c84872e1c96ff35a0402614bc25137af0f1b858c0ca8d040ad36a547355d4aed82849e8e8a0cfe

    • SSDEEP

      12288:JMr/y90ebi0tjGq7sF+KMaTUmNRSxHUID5Sedfvr:Gy7bi0tmHTUmNRSx0bed3r

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

System Information Discovery

1
T1082

Tasks