General

  • Target

    59a0c29a9ce34ffe0f33de41c3bb2f4ee1dadd544dddacf3d021bccbf917c358

  • Size

    1.1MB

  • Sample

    230421-vzkgrsah8y

  • MD5

    de2bdcf6245f6f391789dd48e5489bb4

  • SHA1

    cd967f7a02c372fc8dab1bfcfa9d76762b29e813

  • SHA256

    59a0c29a9ce34ffe0f33de41c3bb2f4ee1dadd544dddacf3d021bccbf917c358

  • SHA512

    387d7fe6011b607c4f2650d3db7ddd31e79b9edf0b33118a4ad771b369ae6b57bed32493fc70fb9a3cf59e8e7a4d1b3e1e7fd7e9a66bdd8ef536313756ded8bd

  • SSDEEP

    24576:0yqoCYvdjZwqiEVDShROit2Ak3iCYWoFwHnbT8OodvY:DdrZZwOJI2oFenbTfKv

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      59a0c29a9ce34ffe0f33de41c3bb2f4ee1dadd544dddacf3d021bccbf917c358

    • Size

      1.1MB

    • MD5

      de2bdcf6245f6f391789dd48e5489bb4

    • SHA1

      cd967f7a02c372fc8dab1bfcfa9d76762b29e813

    • SHA256

      59a0c29a9ce34ffe0f33de41c3bb2f4ee1dadd544dddacf3d021bccbf917c358

    • SHA512

      387d7fe6011b607c4f2650d3db7ddd31e79b9edf0b33118a4ad771b369ae6b57bed32493fc70fb9a3cf59e8e7a4d1b3e1e7fd7e9a66bdd8ef536313756ded8bd

    • SSDEEP

      24576:0yqoCYvdjZwqiEVDShROit2Ak3iCYWoFwHnbT8OodvY:DdrZZwOJI2oFenbTfKv

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks