amadey

General

Target

mtk.exe
Size

3.8MB
Sample

231025-fah53sea99
MD5

0f9599d3ddf1e0c8f818d384ee8d0d19
SHA1

2ca17aef38df0c00efa49b4b448c5f8343725c2f
SHA256

a98aec4a39f5f5ee41280cb17d9b4b5e9bc1eea2fb2ff0d7a962e2b74464d67c
SHA512

7c41c8bf3cadf94f14c25b1e85f3d56a4d39918b1b3718d3f8a284164dc02eb2643ebc28069c1bb7e84adaac41211c52f5e47fa10b86e797c64a6d4cfa0efbf7
SSDEEP

49152:F0BKpXaVwQ5isgxUX+E5ZQcK2mqyxlb+oYLTL2QZnDNR0t62zm33Nar:Z7UwuyJYXL2QZDCzK3Nar

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

2.03

Attributes

install_dir
3101f8f780
install_file
gbudn.exe
strings_key
98efc0765f4c223e79368db4c8650353

rc4.plain

Targets

- Target
  
  mtk.exe
- Size
  
  3.8MB
- MD5
  
  0f9599d3ddf1e0c8f818d384ee8d0d19
- SHA1
  
  2ca17aef38df0c00efa49b4b448c5f8343725c2f
- SHA256
  
  a98aec4a39f5f5ee41280cb17d9b4b5e9bc1eea2fb2ff0d7a962e2b74464d67c
- SHA512
  
  7c41c8bf3cadf94f14c25b1e85f3d56a4d39918b1b3718d3f8a284164dc02eb2643ebc28069c1bb7e84adaac41211c52f5e47fa10b86e797c64a6d4cfa0efbf7
- SSDEEP
  
  49152:F0BKpXaVwQ5isgxUX+E5ZQcK2mqyxlb+oYLTL2QZnDNR0t62zm33Nar:Z7UwuyJYXL2QZDCzK3Nar
Score

10^/10

amadey mimikatz neshta strongpity thanos evasion persistence ransomware spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Neshta payload
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- StrongPity
  StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
  stealer spyware strongpity
- StrongPity Spyware
- Thanos Ransomware
  Ransomware-as-a-service (RaaS) sold through underground forums.
  ransomware thanos
- Thanos executable
- Modifies boot configuration data using bcdedit
  ransomware evasion
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Winexe tool used by Sofacy APT in several incidents
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Detect Neshta payload

Mimikatz

Neshta

StrongPity

StrongPity Spyware

Thanos Ransomware

Thanos executable

Modifies boot configuration data using bcdedit

mimikatz is an open source tool to dump credentials on Windows

Executes dropped EXE

UPX packed file

Winexe tool used by Sofacy APT in several incidents

Looks up external IP address via web service

AutoIT Executable

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2