General

  • Target

    cfe88250f6188bb07aa05e227e4d421e36e185da1b6e7c9132df6876e765b4f4

  • Size

    950KB

  • Sample

    230423-zjyrnsfg74

  • MD5

    6b2be7f07005b8adf3f578f98b0c9225

  • SHA1

    6516f0beeb4c4cdb905c7c372ed40af3ce6d2de2

  • SHA256

    cfe88250f6188bb07aa05e227e4d421e36e185da1b6e7c9132df6876e765b4f4

  • SHA512

    56aa5071796dbc21830875c31aa79f0beb2efc6365531bf4ebe500396a0fac26c9bbed42aeaede78b76ec4209126ff77e3272521bc2d62840ff41dbdbd49e944

  • SSDEEP

    24576:Sygbl8I0QxqXn97qkqhWCNO+n5Syp02KQRuw8RgBeFO:5UKR2qt7tEE+5vpLKQ/IEe

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      cfe88250f6188bb07aa05e227e4d421e36e185da1b6e7c9132df6876e765b4f4

    • Size

      950KB

    • MD5

      6b2be7f07005b8adf3f578f98b0c9225

    • SHA1

      6516f0beeb4c4cdb905c7c372ed40af3ce6d2de2

    • SHA256

      cfe88250f6188bb07aa05e227e4d421e36e185da1b6e7c9132df6876e765b4f4

    • SHA512

      56aa5071796dbc21830875c31aa79f0beb2efc6365531bf4ebe500396a0fac26c9bbed42aeaede78b76ec4209126ff77e3272521bc2d62840ff41dbdbd49e944

    • SSDEEP

      24576:Sygbl8I0QxqXn97qkqhWCNO+n5Syp02KQRuw8RgBeFO:5UKR2qt7tEE+5vpLKQ/IEe

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks