General

  • Target

    setup.exe

  • Size

    950KB

  • Sample

    230424-ag68laac8t

  • MD5

    45d20b3b4b2294d275eea725d28d15f6

  • SHA1

    2f29d1bc549f9a8a474ceaa97bb2328205c2deec

  • SHA256

    4612abbf556c9e649964e669af3eca0efe5bba72be754652ca449a29be47d460

  • SHA512

    f8a7e9bcf13be273f63bc5ea6e87da1cd8e70dbab506049dc8399d9c23605ae81cf5bb5eedd920f1690b0f924fb8fe1de54742f263fa0210e1627f1f7c492ba3

  • SSDEEP

    24576:6y/zx+jtdQtNOjHmHwOTDdtr3Ly2yI7SuhaDe+AJ0Sl4Mu:Bk34NO6QO3dt1yI7oAaSlD

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

    • Target

      setup.exe

    • Size

      950KB

    • MD5

      45d20b3b4b2294d275eea725d28d15f6

    • SHA1

      2f29d1bc549f9a8a474ceaa97bb2328205c2deec

    • SHA256

      4612abbf556c9e649964e669af3eca0efe5bba72be754652ca449a29be47d460

    • SHA512

      f8a7e9bcf13be273f63bc5ea6e87da1cd8e70dbab506049dc8399d9c23605ae81cf5bb5eedd920f1690b0f924fb8fe1de54742f263fa0210e1627f1f7c492ba3

    • SSDEEP

      24576:6y/zx+jtdQtNOjHmHwOTDdtr3Ly2yI7SuhaDe+AJ0Sl4Mu:Bk34NO6QO3dt1yI7oAaSlD

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks