amadey | 363156046460344c5dc499b0aa0e32078aabb3f1fe6229bc056cb7497948416d | Triage

Sharing

Copy URL Twitter E-mail

General

Target

244584512d6decb0d37cef150886e636.bin
Size

16KB
Sample

230519-bgptzsdc3x
MD5

186d8c94d149574df383a70420fee42a
SHA1

317087a4ab158eba4b851349fef33adcb45f46a8
SHA256

363156046460344c5dc499b0aa0e32078aabb3f1fe6229bc056cb7497948416d
SHA512

6f3397dd124a538ddf2971df541e8864c9fe691a324e6574aa8b8a653fe5935b7e9a6fcd00791c133cb5b35c22e37ecee58437a2d3309372f2be423d2f5505c6
SSDEEP

384:Djly9POrbn6ZqJve7SnUagb0KqAIUJ7yKT778g7oOFnqb:FaPOrbn1ULagbrQmb778Eqb

Score

10^/10

amadey evasion persistence spyware stealer trojan

Malware Config

Targets

- Target
  
  56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866.bat
- Size
  
  22KB
- MD5
  
  244584512d6decb0d37cef150886e636
- SHA1
  
  fe50c7e039605957ab9bfd034f7861e6023d0093
- SHA256
  
  56107979d024223bd4ba443cf654ebfc32e19a3eaffd7a055fadb6ac1ce97866
- SHA512
  
  24613bbe96ab7befac49f8d4acd6b8a9d14bb0add1651412c0859d4031feabd2aa40e8e582a449af7acbb0eba6776de1b65f0ead759c7fcf089bf3d12eb46243
- SSDEEP
  
  384:b2VPeJS3xtpEG3cZrUKUE0gMGfa9720wvjeqzAzW6yeVf9jlP7JYK5zf8rh:bUWJS3xwQ8rUwMaaJ20wvjj0zLVRlzO5
Score

10^/10

evasion amadey persistence spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

amadeyevasionpersistencespywarestealertrojan