amadey | 7d49e3615220e7899535902b94547ae2644c8ae15bd1be0dcadc9c30cc2b4bc2 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

7d49e3615220e7899535902b94547ae2644c8ae15bd1be0dcadc9c30cc2b4bc2
Size

387KB
Sample

230505-jlgceagh74
MD5

454f4f9b499f0692cfca14e04ff5eb43
SHA1

f13bb3248b82269c1534fefeb0b86160df5d3905
SHA256

7d49e3615220e7899535902b94547ae2644c8ae15bd1be0dcadc9c30cc2b4bc2
SHA512

ff09192659727801e28f847e97a5edc894021888b6d589db9d87063f01b74d4d2b191c94134418a56f95ebc700933fee0697e11547e1330ef8991137156cf10c
SSDEEP

6144:K0y+bnr+ap0yN90QEmti6PjaTqCKYRJdsMvLwtXhEFEE7HZknbmYtU:YMr2y90IPjwqidDvLwtSFE0qbmmU

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

- Target
  
  7d49e3615220e7899535902b94547ae2644c8ae15bd1be0dcadc9c30cc2b4bc2
- Size
  
  387KB
- MD5
  
  454f4f9b499f0692cfca14e04ff5eb43
- SHA1
  
  f13bb3248b82269c1534fefeb0b86160df5d3905
- SHA256
  
  7d49e3615220e7899535902b94547ae2644c8ae15bd1be0dcadc9c30cc2b4bc2
- SHA512
  
  ff09192659727801e28f847e97a5edc894021888b6d589db9d87063f01b74d4d2b191c94134418a56f95ebc700933fee0697e11547e1330ef8991137156cf10c
- SSDEEP
  
  6144:K0y+bnr+ap0yN90QEmti6PjaTqCKYRJdsMvLwtXhEFEE7HZknbmYtU:YMr2y90IPjwqidDvLwtSFE0qbmmU
Score

10^/10

amadey discovery evasion persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeydiscoveryevasionpersistencespywarestealertrojan