amadey | 56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SKMBT18276392733.bat
Size

22KB
Sample

230517-ycc1ysgc35
MD5

244584512d6decb0d37cef150886e636
SHA1

fe50c7e039605957ab9bfd034f7861e6023d0093
SHA256

56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866
SHA512

24613bbe96ab7befac49f8d4acd6b8a9d14bb0add1651412c0859d4031feabd2aa40e8e582a449af7acbb0eba6776de1b65f0ead759c7fcf089bf3d12eb46243
SSDEEP

384:b2VPeJS3xtpEG3cZrUKUE0gMGfa9720wvjeqzAzW6yeVf9jlP7JYK5zf8rh:bUWJS3xwQ8rUwMaaJ20wvjj0zLVRlzO5

Score

10^/10

amadey evasion persistence spyware stealer trojan

Malware Config

Targets

- Target
  
  SKMBT18276392733.bat
- Size
  
  22KB
- MD5
  
  244584512d6decb0d37cef150886e636
- SHA1
  
  fe50c7e039605957ab9bfd034f7861e6023d0093
- SHA256
  
  56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866
- SHA512
  
  24613bbe96ab7befac49f8d4acd6b8a9d14bb0add1651412c0859d4031feabd2aa40e8e582a449af7acbb0eba6776de1b65f0ead759c7fcf089bf3d12eb46243
- SSDEEP
  
  384:b2VPeJS3xtpEG3cZrUKUE0gMGfa9720wvjeqzAzW6yeVf9jlP7JYK5zf8rh:bUWJS3xwQ8rUwMaaJ20wvjj0zLVRlzO5
Score

10^/10

evasion amadey persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

amadeyevasionpersistencespywarestealertrojan