General
-
Target
amd.exe
-
Size
437KB
-
Sample
231122-pxzk1sce28
-
MD5
625cb97439daa80940791f626bb4765c
-
SHA1
af462cf5435efceefcd6786f212e192403e80c4b
-
SHA256
79f5147260484890fd1fab7a78619de557103717e124f1c249addc530b737a71
-
SHA512
145f8dba2288b45ef2f0ba1582861131501fb90697dfd1a79bfcdb93fa1d9110283ccb95e24317876082c7b5b24e32f2d7f954d93cb0cac2d819dec920d00891
-
SSDEEP
12288:C+mHU45lKN78RhFkvULfYOmBpumeYDDtKf:Ce45lKh87zLwp7Kf
Malware Config
Extracted
amadey
4.12
http://bitcoinstorm.cc
http://blackgold.top
http://emancipation1866.top
-
strings_key
550b275dd5aea0a3932bf7e10871e2c7
-
url_paths
/g9sdjScV2/index.php
/vdhe8ejs3/index.php
/ghndbncg3S/index.php
Targets
-
-
Target
amd.exe
-
Size
437KB
-
MD5
625cb97439daa80940791f626bb4765c
-
SHA1
af462cf5435efceefcd6786f212e192403e80c4b
-
SHA256
79f5147260484890fd1fab7a78619de557103717e124f1c249addc530b737a71
-
SHA512
145f8dba2288b45ef2f0ba1582861131501fb90697dfd1a79bfcdb93fa1d9110283ccb95e24317876082c7b5b24e32f2d7f954d93cb0cac2d819dec920d00891
-
SSDEEP
12288:C+mHU45lKN78RhFkvULfYOmBpumeYDDtKf:Ce45lKh87zLwp7Kf
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1