General

  • Target

    ba218b60cb97c3532b8b9c796d954622.exe

  • Size

    1.1MB

  • Sample

    230322-fbnryseh48

  • MD5

    ba218b60cb97c3532b8b9c796d954622

  • SHA1

    ae18137fb0809f61797b7448bb139840d1f49e99

  • SHA256

    8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b

  • SHA512

    06b0ac48d4dad3253a817a7f6bc34437a748e3d885328986f652347c8cbc72f2fc5aebdc3e3781357887da74b77f2eb6b57a816d16d96e6b713e3c3aab1ba158

  • SSDEEP

    24576:+DqJfHKurNTbvYkwdBd9BO3Oz1ITm+2Hd:+DIHKurdbvYDz5+2Hd

Malware Config

Extracted

Family

amadey

Version

3.65

C2

77.73.134.27/8bmdh3Slb2/index.php

Targets

    • Target

      ba218b60cb97c3532b8b9c796d954622.exe

    • Size

      1.1MB

    • MD5

      ba218b60cb97c3532b8b9c796d954622

    • SHA1

      ae18137fb0809f61797b7448bb139840d1f49e99

    • SHA256

      8bee3d713fc207a8ca82e8eaf85396b55fcd29fe9214a83ce9399fa48ac4bd4b

    • SHA512

      06b0ac48d4dad3253a817a7f6bc34437a748e3d885328986f652347c8cbc72f2fc5aebdc3e3781357887da74b77f2eb6b57a816d16d96e6b713e3c3aab1ba158

    • SSDEEP

      24576:+DqJfHKurNTbvYkwdBd9BO3Oz1ITm+2Hd:+DIHKurdbvYDz5+2Hd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks