General

  • Target

    b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e

  • Size

    558KB

  • Sample

    230206-xm4qzsaf4v

  • MD5

    e74ebd7dbb48ae2070847cd6dafbc0c1

  • SHA1

    04244f94f28ac3b718d46b1ae125f637b70eaf07

  • SHA256

    b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e

  • SHA512

    166e4fc30b1d7f3f300475c39dea497e2048e77476b2744b9774b920d229f21dc9c667dd3c350c10b72218642711ccd02cb33c1015cd198d7494fac71fbfc2d9

  • SSDEEP

    12288:RMrRy90z/PamR5AqwE8QzUK6uYCvyTK53Vpa8a+bVJKOds/l7:EyC/PH5AqwmDHvC4dpQ

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

    • Target

      b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e

    • Size

      558KB

    • MD5

      e74ebd7dbb48ae2070847cd6dafbc0c1

    • SHA1

      04244f94f28ac3b718d46b1ae125f637b70eaf07

    • SHA256

      b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e

    • SHA512

      166e4fc30b1d7f3f300475c39dea497e2048e77476b2744b9774b920d229f21dc9c667dd3c350c10b72218642711ccd02cb33c1015cd198d7494fac71fbfc2d9

    • SSDEEP

      12288:RMrRy90z/PamR5AqwE8QzUK6uYCvyTK53Vpa8a+bVJKOds/l7:EyC/PH5AqwmDHvC4dpQ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks