General
-
Target
4313154152002f1a73f9f39ffb798e0511ab2f8b1636a2065a63ecb96f5d8a97
-
Size
1.1MB
-
Sample
230416-rz9j4scb3x
-
MD5
3da7542a3a89f0a8d8f459a6f035c6d2
-
SHA1
0e551f07602e40d61a91cf79c442c01face13c14
-
SHA256
4313154152002f1a73f9f39ffb798e0511ab2f8b1636a2065a63ecb96f5d8a97
-
SHA512
9b04e247e47f7d71432836ace42511f420a5c9c853f28b6c0e1bca8df838f241c23ea210af35b885b153ebb0c6ee49c3af79227bc5bd951c9c6d899a03cac385
-
SSDEEP
24576:myQaLoKM8I7tYr8/fk7D7tJ7r6+Go49oP0DQDCzf5anxI8JL:1StY4fAbr6+3WoPIjYxI
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Targets
-
-
Target
4313154152002f1a73f9f39ffb798e0511ab2f8b1636a2065a63ecb96f5d8a97
-
Size
1.1MB
-
MD5
3da7542a3a89f0a8d8f459a6f035c6d2
-
SHA1
0e551f07602e40d61a91cf79c442c01face13c14
-
SHA256
4313154152002f1a73f9f39ffb798e0511ab2f8b1636a2065a63ecb96f5d8a97
-
SHA512
9b04e247e47f7d71432836ace42511f420a5c9c853f28b6c0e1bca8df838f241c23ea210af35b885b153ebb0c6ee49c3af79227bc5bd951c9c6d899a03cac385
-
SSDEEP
24576:myQaLoKM8I7tYr8/fk7D7tJ7r6+Go49oP0DQDCzf5anxI8JL:1StY4fAbr6+3WoPIjYxI
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-