General

  • Target

    c1e4d8cca13adfcd4b7baa0eaf520972.bin

  • Size

    1.2MB

  • Sample

    230420-canh1seg86

  • MD5

    838e140daa3312313d9c4c54cc555800

  • SHA1

    8f313732d67730c8e0d6a230be42ea822d941d80

  • SHA256

    87c7648d555bf196d920fc2d6d35e32a328ab5e00631dd1f572862676931e8d2

  • SHA512

    eaacfe8fb3733b7061adec92837588f6dbf1ed9de3a28240434cac99f35e854fdff32edb131af34eb238efc7cbacdc26a2900fe6493d2f2484dbab637cd350ff

  • SSDEEP

    24576:9KDCInxhWIcFaEfDES01kEZg3liFaDrtmxZcTBn6ZyLe:eHcF/fDz2ZgsFIrtms56Zce

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      b71c9fa76559692a04807f0e669631f42a65f210bd0d043735fc945cb3155a15.exe

    • Size

      1.2MB

    • MD5

      c1e4d8cca13adfcd4b7baa0eaf520972

    • SHA1

      95e1976b0fdb0e7caf240faaa896ce42624a0cb4

    • SHA256

      b71c9fa76559692a04807f0e669631f42a65f210bd0d043735fc945cb3155a15

    • SHA512

      f98f675971588d79e75e8abfd17aa3c692e48b0223a60bb98e2a98cb686c0e5d53882e415b1f5d69ea07267ef08631b4932bc520b488feee2c59df07d6dbe7de

    • SSDEEP

      24576:Dy7bhfU7DmI1OueY0um4TvMMDpm660eNi8qQscTHn238lExZYG2w:W3hf0x1HetzOpm60k8gcTnmTxGV

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect rhadamanthys stealer shellcode

    • Modifies Windows Defender Real-time Protection settings

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks