amadey | 572874b5ab72f55cd764b3ccc405fa2350e7b9b95e761f2e686e1b4f0d4427dc | Triage

Sharing

General

Target

572874b5ab72f55cd764b3ccc405fa2350e7b9b95e761f2e686e1b4f0d4427dc
Size

386KB
Sample

230505-m8skqsbe3y
MD5

26e6daedb12f450247a1a1ad1559e59e
SHA1

4b317a4730877db27ca392b387f999a06f6941f5
SHA256

572874b5ab72f55cd764b3ccc405fa2350e7b9b95e761f2e686e1b4f0d4427dc
SHA512

8137614ac4082a6ed60294943e7011310450ce76b5f3b2b22413c0361c52a93ea740a83a7d2e736e5c5abb45ae57e34044432654eba1de07bd38aec4e2df90eb
SSDEEP

6144:KUy+bnr+xp0yN90QEp6ZlUvH5T+9zpPV3ogggwQveQVWXwKCF3iVL51O+lqLd0Fg:UMrNy90LTv4PMgwQV5tF3QhqZ0FFi

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Targets

- Target
  
  572874b5ab72f55cd764b3ccc405fa2350e7b9b95e761f2e686e1b4f0d4427dc
- Size
  
  386KB
- MD5
  
  26e6daedb12f450247a1a1ad1559e59e
- SHA1
  
  4b317a4730877db27ca392b387f999a06f6941f5
- SHA256
  
  572874b5ab72f55cd764b3ccc405fa2350e7b9b95e761f2e686e1b4f0d4427dc
- SHA512
  
  8137614ac4082a6ed60294943e7011310450ce76b5f3b2b22413c0361c52a93ea740a83a7d2e736e5c5abb45ae57e34044432654eba1de07bd38aec4e2df90eb
- SSDEEP
  
  6144:KUy+bnr+xp0yN90QEp6ZlUvH5T+9zpPV3ogggwQveQVWXwKCF3iVL51O+lqLd0Fg:UMrNy90LTv4PMgwQV5tF3QhqZ0FFi
Score

10^/10

amadey discovery evasion persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeydiscoveryevasionpersistencespywarestealertrojan