General

  • Target

    3302fdd3be85ac5427180933319fc800040273318f71fa707ebaab2418c8deb5

  • Size

    1.4MB

  • Sample

    230415-x5kqtsgh6z

  • MD5

    b9f2e521b9da42845ae4955710c9f566

  • SHA1

    ade94ab00fc1aead48bce6cbfc1a06a3b815184e

  • SHA256

    3302fdd3be85ac5427180933319fc800040273318f71fa707ebaab2418c8deb5

  • SHA512

    f6c156009f9437322e399f4c4b361fae7973a72d546d3a6e88f3cf481b42988435801a93f59514ab9f178c8680339259dac8b4a41d0986ef72e41c174056373f

  • SSDEEP

    24576:oys9qFUg43bAbSZt3kpONSFyRfPalLzaf1ezbiyKj9sGZ6hxfBFod5uMUnv4zqNh:vWO43b5/kpsRfPHwz2Zsy47MAMYQuNZZ

Malware Config

Extracted

Family

amadey

Version

3.70

C2

193.201.9.43/plays/chapter/index.php

Targets

    • Target

      3302fdd3be85ac5427180933319fc800040273318f71fa707ebaab2418c8deb5

    • Size

      1.4MB

    • MD5

      b9f2e521b9da42845ae4955710c9f566

    • SHA1

      ade94ab00fc1aead48bce6cbfc1a06a3b815184e

    • SHA256

      3302fdd3be85ac5427180933319fc800040273318f71fa707ebaab2418c8deb5

    • SHA512

      f6c156009f9437322e399f4c4b361fae7973a72d546d3a6e88f3cf481b42988435801a93f59514ab9f178c8680339259dac8b4a41d0986ef72e41c174056373f

    • SSDEEP

      24576:oys9qFUg43bAbSZt3kpONSFyRfPalLzaf1ezbiyKj9sGZ6hxfBFod5uMUnv4zqNh:vWO43b5/kpsRfPHwz2Zsy47MAMYQuNZZ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks