amadey

General

Target

release_JC.zip
Size

1.6MB
Sample

231024-y22qlsha85
MD5

3d854a29c35902e2ef8ad796f7b62108
SHA1

505c367ad2d74b1fad2ecb070705890b044f2e8a
SHA256

c619e92d516921b48efdddfc63bc752b1f920ebd005a0335a5e8bba56c8b7d16
SHA512

30d6a47495e83e667f4e570072b92495a47d377b3a220e62fc4ed943104af01e2fe42765982f915b9ecdd4c2dca78e0eb2b3635ab5199c472df38add95d2af78
SSDEEP

49152:qo3v9B2DH5IhuKQxXxOnAWULAqtIk1QTx9sNQ:qo/925GN+xObwAVk1asa

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

2.03

Attributes

install_dir
3101f8f780
install_file
gbudn.exe
strings_key
98efc0765f4c223e79368db4c8650353

rc4.plain

Extracted

Family

azorult

C2

http://benchadcrd.nl/gate.php

Targets

- Target
  
  mtk.exe
- Size
  
  4.0MB
- MD5
  
  0dbaff61a0d7eb35c23542fe980c8e30
- SHA1
  
  a65bce229a1f0143c6f5c86a205da15d74652335
- SHA256
  
  0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594
- SHA512
  
  d59cc95efbb06b98b32ab0f52596aad4cf8b72a2390cddee8237301ee284995421fe98aff13a967db34d49759feaeac51f76e23d4d49397ef81fb003075adfc7
- SSDEEP
  
  49152:5hkVUncRtu1kPxXzEgDH/0nl0efk6e4Ath5+hY7hYKJ+NFK2Z0N/eEDNIGuWFlva:qxJDhlEF0N/e06Wrghxt
Score

10^/10

amadey mimikatz neshta strongpity evasion persistence spyware stealer trojan upx azorult infostealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Neshta payload
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- StrongPity
  StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
  stealer spyware strongpity
- StrongPity Spyware
- UAC bypass
  evasion trojan
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Winexe tool used by Sofacy APT in several incidents
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2