General

  • Target

    381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df

  • Size

    558KB

  • Sample

    230206-yd4kasag91

  • MD5

    f7543c968422a529f4f979d5670e4f13

  • SHA1

    f1467ad3e89f4ad444de6fa01fb6faaa1dfd1dce

  • SHA256

    381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df

  • SHA512

    d10a531d91899915e01a44e830f5df133642e8cb4e5038d84c455c09b51d38f6d790b2c0571485e5bff4b348424fa904dd278a23db994816245baa3a58928629

  • SSDEEP

    12288:nMr9y90UAn2fI8BUK6uYCvdTP53VpaKm+bViKpq6RLCV:GyF1DHvR/pH9RLCV

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

    • Target

      381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df

    • Size

      558KB

    • MD5

      f7543c968422a529f4f979d5670e4f13

    • SHA1

      f1467ad3e89f4ad444de6fa01fb6faaa1dfd1dce

    • SHA256

      381ef9be4e3e2a5b63b2aaada3d4990bfb2de780f33029b36bd6e2e91c3ae3df

    • SHA512

      d10a531d91899915e01a44e830f5df133642e8cb4e5038d84c455c09b51d38f6d790b2c0571485e5bff4b348424fa904dd278a23db994816245baa3a58928629

    • SSDEEP

      12288:nMr9y90UAn2fI8BUK6uYCvdTP53VpaKm+bViKpq6RLCV:GyF1DHvR/pH9RLCV

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks