General

  • Target

    22ed61cb42f7bbf92a591b7e0f6c997b4f4eac848b37300c8d0f837c779ece3e

  • Size

    558KB

  • Sample

    230206-ym4awsff48

  • MD5

    6b3d4928ca4fe04d093ba33f4dc45486

  • SHA1

    c6596083605e31c770760d480241c9e6a619a659

  • SHA256

    22ed61cb42f7bbf92a591b7e0f6c997b4f4eac848b37300c8d0f837c779ece3e

  • SHA512

    98f7ae641249d6f5f526a0c228758a672e984ce959687d2d7eabf5bc25796a70ffbb7e2dbb9aac454dd41aeb3f2b17396e8b6735cfd52628294f2815f7435da5

  • SSDEEP

    12288:bMrvy90KM4mxbt7pAoF5jYUK6uYCviTy53VpaX1+bVAKv1VQB:UyfleAaYDHvSro31VQB

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Targets

    • Target

      22ed61cb42f7bbf92a591b7e0f6c997b4f4eac848b37300c8d0f837c779ece3e

    • Size

      558KB

    • MD5

      6b3d4928ca4fe04d093ba33f4dc45486

    • SHA1

      c6596083605e31c770760d480241c9e6a619a659

    • SHA256

      22ed61cb42f7bbf92a591b7e0f6c997b4f4eac848b37300c8d0f837c779ece3e

    • SHA512

      98f7ae641249d6f5f526a0c228758a672e984ce959687d2d7eabf5bc25796a70ffbb7e2dbb9aac454dd41aeb3f2b17396e8b6735cfd52628294f2815f7435da5

    • SSDEEP

      12288:bMrvy90KM4mxbt7pAoF5jYUK6uYCviTy53VpaX1+bVAKv1VQB:UyfleAaYDHvSro31VQB

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

System Information Discovery

1
T1082

Tasks