General

  • Target

    ad1c52735563cbaa8c4a3d0edcc4d9c7.bin

  • Size

    1.2MB

  • Sample

    230420-b68cmaeg58

  • MD5

    6b17894ea8895e2b6231c2fb74823307

  • SHA1

    61d736ae25002abc1b0546512274e96bb9b80fcb

  • SHA256

    6d7d9a05a714f322699699516e1ee6ecb4f3a1358c2eab9a008b726a3b67d033

  • SHA512

    1004f484be3b363a6866c786652b96a11439d99107f02a2306fa6aeda700a948d1ca8d1566d16e7c84519f916ba2991e9b234259d6b6748e564ac0fd5cecb932

  • SSDEEP

    24576:wvOH9kXbuqfLXb2P/kPy9tOMfbqTaRxuzoU6pb5BkX53MGBhnPcno:wvy9kXbHfLr2/kPbSqWyMU6pb5C6GBh9

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      2d4a1b377466ce663d6dab8eab39b87033b34dba3afc79510282de0c1e58cf4f.exe

    • Size

      1.2MB

    • MD5

      ad1c52735563cbaa8c4a3d0edcc4d9c7

    • SHA1

      4df0834857c2bd58db0f61a9f423f9d7da853c8f

    • SHA256

      2d4a1b377466ce663d6dab8eab39b87033b34dba3afc79510282de0c1e58cf4f

    • SHA512

      78be898eb27f72ea6d9647001a7f111a6209ada02dfe1f6a7ffdaa45c3e4126e7b11c654c871d5a6dd132e5f0e1b08ffe341a7aaa4ede835af71054886e456b5

    • SSDEEP

      24576:2ytjNnRWhcjbQZ4VY58BroyjKlZQdiXxJA5gsuOKJ7z3HFuBpQXCbzrVNXk:FtfWhw+yjK7+iXxJbaKJfHFuDSgnXX

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect rhadamanthys stealer shellcode

    • Modifies Windows Defender Real-time Protection settings

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks