General

  • Target

    72c6824d03dd629601466ddc4a8be6181538a592fc9f5c3bf7d2ce3d10e15389

  • Size

    950KB

  • Sample

    230424-ag36yagg24

  • MD5

    c5982260d0d3203216d1a46934d9a001

  • SHA1

    9d10d5a2af5d889248ea8d3fb2645dd715cc672a

  • SHA256

    72c6824d03dd629601466ddc4a8be6181538a592fc9f5c3bf7d2ce3d10e15389

  • SHA512

    3cbfa7274f315d2953bd69c1742e260af22292a65ff501c911e8eecfcb5b0c3e71f05c0be7b1cd44126cb7ce7d2f8ca1a530e27ad439326c788c2987153c9abd

  • SSDEEP

    24576:Uy0hRG5wJL/Jd11r8L/R8shEIPjTYhDKiOnksl:jGgSJAjbEIPvYpFOnf

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      72c6824d03dd629601466ddc4a8be6181538a592fc9f5c3bf7d2ce3d10e15389

    • Size

      950KB

    • MD5

      c5982260d0d3203216d1a46934d9a001

    • SHA1

      9d10d5a2af5d889248ea8d3fb2645dd715cc672a

    • SHA256

      72c6824d03dd629601466ddc4a8be6181538a592fc9f5c3bf7d2ce3d10e15389

    • SHA512

      3cbfa7274f315d2953bd69c1742e260af22292a65ff501c911e8eecfcb5b0c3e71f05c0be7b1cd44126cb7ce7d2f8ca1a530e27ad439326c788c2987153c9abd

    • SSDEEP

      24576:Uy0hRG5wJL/Jd11r8L/R8shEIPjTYhDKiOnksl:jGgSJAjbEIPvYpFOnf

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks