General

  • Target

    file.exe

  • Size

    558KB

  • Sample

    230206-zd5m2afg75

  • MD5

    b26d8fdd312369cdddb8c7a8717ad7ad

  • SHA1

    a6dd74a7abc5eef221d6ba2dc6a48c986e9e5baa

  • SHA256

    c2953504cc927c80bfd7c37d80e73ff1e2bc1df94dba15118e091c7bbbb78166

  • SHA512

    7de34b36a1c275f6bc67cd17729c092a1c51368b2220ae8575ac2b3565178f353b0c4ce8c7bab9dcfa0372535dc4638ac35921b1f907c70066c3ba8cd8e5f770

  • SSDEEP

    12288:5MrYy90+5DxjiapbCHsF+qMaTkmNRWZDGOjoWYL4Qag4:xyf5hbnHTkmNRW5GbXkQz4

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Targets

    • Target

      file.exe

    • Size

      558KB

    • MD5

      b26d8fdd312369cdddb8c7a8717ad7ad

    • SHA1

      a6dd74a7abc5eef221d6ba2dc6a48c986e9e5baa

    • SHA256

      c2953504cc927c80bfd7c37d80e73ff1e2bc1df94dba15118e091c7bbbb78166

    • SHA512

      7de34b36a1c275f6bc67cd17729c092a1c51368b2220ae8575ac2b3565178f353b0c4ce8c7bab9dcfa0372535dc4638ac35921b1f907c70066c3ba8cd8e5f770

    • SSDEEP

      12288:5MrYy90+5DxjiapbCHsF+qMaTkmNRWZDGOjoWYL4Qag4:xyf5hbnHTkmNRW5GbXkQz4

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks