General

  • Target

    ChrоmеSеtuр.exe

  • Size

    3.3MB

  • Sample

    230826-1w1mgade94

  • MD5

    7799b9185e0e45643c325a679d9e4357

  • SHA1

    c4155ee2c75279cfe4ce7942d7ff992fa17cdfa2

  • SHA256

    10f504133a652d196aa14eb26d55d0b53da16590584696a1f282a95bb3e9c08a

  • SHA512

    a9006b03ba387f8b96ddacd885237dc44a8e4b365841a55dd7916c5855640c3b21ddc5657b87ad0f035dc965f08c1ccce8a3c6250b0b5caa30c2a29886ccf5dd

  • SSDEEP

    49152:oWtfl3xiDZjSPQaLOpU0dpBYYZFfsqWGXwuO6Bpp51kXYpnF4tk11zppI04zmHZl:ltfl0kYax0dMiNsqWGXwtyRk

Malware Config

Extracted

Family

amadey

Version

3.86

C2

45.9.74.182/b7djSDcPcZ/index.php

Targets

    • Target

      ChrоmеSеtuр.exe

    • Size

      3.3MB

    • MD5

      7799b9185e0e45643c325a679d9e4357

    • SHA1

      c4155ee2c75279cfe4ce7942d7ff992fa17cdfa2

    • SHA256

      10f504133a652d196aa14eb26d55d0b53da16590584696a1f282a95bb3e9c08a

    • SHA512

      a9006b03ba387f8b96ddacd885237dc44a8e4b365841a55dd7916c5855640c3b21ddc5657b87ad0f035dc965f08c1ccce8a3c6250b0b5caa30c2a29886ccf5dd

    • SSDEEP

      49152:oWtfl3xiDZjSPQaLOpU0dpBYYZFfsqWGXwuO6Bpp51kXYpnF4tk11zppI04zmHZl:ltfl0kYax0dMiNsqWGXwtyRk

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Use of msiexec (install) with remote resource

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks