General

  • Target

    aca71960192a8fb23e07ece5b076cf593c4fc8b44214318eb79a75ebd243c1e2

  • Size

    558KB

  • Sample

    230206-2cf96agb75

  • MD5

    39b1c1df2d4e1c512b40def54038a2e7

  • SHA1

    fce6b4b0180966b01cd75c6855e14a9511adc50b

  • SHA256

    aca71960192a8fb23e07ece5b076cf593c4fc8b44214318eb79a75ebd243c1e2

  • SHA512

    f651fe17af46753b51461ce2a8b5b9ebfc236aef9a77b8c9c32a6f0c715d69ea1829d505d1c0f53fd8ebc5efd3b7d2afbc0482d2b35a84f185974844546eaf9a

  • SSDEEP

    12288:IMrgy90i7Ixu1ep24SsF+6MaTQmNRWAZOCI+Tj:oyxh0p2KHTQmNRWADzTj

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Targets

    • Target

      aca71960192a8fb23e07ece5b076cf593c4fc8b44214318eb79a75ebd243c1e2

    • Size

      558KB

    • MD5

      39b1c1df2d4e1c512b40def54038a2e7

    • SHA1

      fce6b4b0180966b01cd75c6855e14a9511adc50b

    • SHA256

      aca71960192a8fb23e07ece5b076cf593c4fc8b44214318eb79a75ebd243c1e2

    • SHA512

      f651fe17af46753b51461ce2a8b5b9ebfc236aef9a77b8c9c32a6f0c715d69ea1829d505d1c0f53fd8ebc5efd3b7d2afbc0482d2b35a84f185974844546eaf9a

    • SSDEEP

      12288:IMrgy90i7Ixu1ep24SsF+6MaTQmNRWAZOCI+Tj:oyxh0p2KHTQmNRWADzTj

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks