General

  • Target

    b6aeb75f7184e469f1f5db6d99166d16dae1216c45b44803d2c8cac3a7a0f0e3

  • Size

    577KB

  • Sample

    230206-sc6qdaee42

  • MD5

    34a2338004e8491d3ba18ba74170ead6

  • SHA1

    835f9fc8c3fee08832ad93014d86a018daa09f31

  • SHA256

    b6aeb75f7184e469f1f5db6d99166d16dae1216c45b44803d2c8cac3a7a0f0e3

  • SHA512

    3a72cf0db2e1accf1315edc467f4ac1c55801b9414d6c38724e258d1dd3bf397bc75d0d04eddfa9f4fe10228f45f61123f8d79c86a33c9c5e8e6b023370bc7e6

  • SSDEEP

    12288:VMrZy90dEFguA20V0OOZ9zIVnDFVKqGUTviZ0fy+n7UdFb:kywggu4VOZZExGu60fv7UdFb

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

    • Target

      b6aeb75f7184e469f1f5db6d99166d16dae1216c45b44803d2c8cac3a7a0f0e3

    • Size

      577KB

    • MD5

      34a2338004e8491d3ba18ba74170ead6

    • SHA1

      835f9fc8c3fee08832ad93014d86a018daa09f31

    • SHA256

      b6aeb75f7184e469f1f5db6d99166d16dae1216c45b44803d2c8cac3a7a0f0e3

    • SHA512

      3a72cf0db2e1accf1315edc467f4ac1c55801b9414d6c38724e258d1dd3bf397bc75d0d04eddfa9f4fe10228f45f61123f8d79c86a33c9c5e8e6b023370bc7e6

    • SSDEEP

      12288:VMrZy90dEFguA20V0OOZ9zIVnDFVKqGUTviZ0fy+n7UdFb:kywggu4VOZZExGu60fv7UdFb

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks