General

  • Target

    435718040f23d5db328ab3c844201d7d075c247c435008a9a3d3ff83d93b87e5

  • Size

    558KB

  • Sample

    230206-y2al5afg29

  • MD5

    7678a6201d86ec6c87a8283af8a746ea

  • SHA1

    97922791531822d85de8ab00adbbeebf2260c903

  • SHA256

    435718040f23d5db328ab3c844201d7d075c247c435008a9a3d3ff83d93b87e5

  • SHA512

    8a840b869f2524caf30d6c160cc7659fcb67db55eb220a488678b7e717f0f09d008da62888d8111bc5d5b2f9ee723b5901f4e7f331a15a4ce43151d3567f5df5

  • SSDEEP

    12288:lMr/y90fodGYBGusF+4MaTMmNRiRxd1M0RibN:GyXdGlHHTMmNRiLd1M0Rc

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

    • Target

      435718040f23d5db328ab3c844201d7d075c247c435008a9a3d3ff83d93b87e5

    • Size

      558KB

    • MD5

      7678a6201d86ec6c87a8283af8a746ea

    • SHA1

      97922791531822d85de8ab00adbbeebf2260c903

    • SHA256

      435718040f23d5db328ab3c844201d7d075c247c435008a9a3d3ff83d93b87e5

    • SHA512

      8a840b869f2524caf30d6c160cc7659fcb67db55eb220a488678b7e717f0f09d008da62888d8111bc5d5b2f9ee723b5901f4e7f331a15a4ce43151d3567f5df5

    • SSDEEP

      12288:lMr/y90fodGYBGusF+4MaTMmNRiRxd1M0RibN:GyXdGlHHTMmNRiLd1M0Rc

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks