Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df
Size

558KB
Sample

230206-yd4kasag91
MD5

f7543c968422a529f4f979d5670e4f13
SHA1

f1467ad3e89f4ad444de6fa01fb6faaa1dfd1dce
SHA256

381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df
SHA512

d10a531d91899915e01a44e830f5df133642e8cb4e5038d84c455c09b51d38f6d790b2c0571485e5bff4b348424fa904dd278a23db994816245baa3a58928629
SSDEEP

12288:nMr9y90UAn2fI8BUK6uYCvdTP53VpaKm+bViKpq6RLCV:GyF1DHvR/pH9RLCV

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

- Target
  
  381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df
- Size
  
  558KB
- MD5
  
  f7543c968422a529f4f979d5670e4f13
- SHA1
  
  f1467ad3e89f4ad444de6fa01fb6faaa1dfd1dce
- SHA256
  
  381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df
- SHA512
  
  d10a531d91899915e01a44e830f5df133642e8cb4e5038d84c455c09b51d38f6d790b2c0571485e5bff4b348424fa904dd278a23db994816245baa3a58928629
- SSDEEP
  
  12288:nMr9y90UAn2fI8BUK6uYCvdTP53VpaKm+bViKpq6RLCV:GyF1DHvR/pH9RLCV
Score

10^/10

amadey evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

amadeyevasionpersistencetrojan