General
-
Target
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09.zip
-
Size
749KB
-
Sample
230321-r1kmdadd2w
-
MD5
c060aabd9f6a1d22eada869b44f1a54c
-
SHA1
4afcab319f7017348483c796d03e0985681fad24
-
SHA256
d2d3058a2a175ff00b4da1fbbef586d5d9ab1b61c429357e1efa97ecce1ba815
-
SHA512
aaa3ddf23f14bd451dbc47ab6552380eee0adccf42b7178b90238a53f68d66df11e25eb10b589f263a510ab54b53340b2ac5da7599e074fb36c37364ee00d56d
-
SSDEEP
12288:Jc1Yn83Za25pf1JbTLHHz22udFUPjlUPeb/S1Nbp+gP9PCV8/JKL5KO9u+ZBvxp4:JcK8paMX9TLHEds5gZNbp+gP9PCGBOKz
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Targets
-
-
Target
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09.exe
-
Size
1.5MB
-
MD5
9b8786c9e74cfd314d7fe9fab571d451
-
SHA1
e5725184c2da0103046f44c211cc943582c1b2b2
-
SHA256
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
-
SHA512
9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9
-
SSDEEP
12288:0uKd2SU1qQFhpGf1U1gYZMt4TwIwwNjCBCTIXFgpWW5Gm41jKmejWYzHWsd+1Ys2:NKdKUYLm7dsTccLa1mmerbED
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects PseudoManuscrypt payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Suspicious use of SetThreadContext
-