amadey | 138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a | Triage

Submit
Reports

Overview

overview

Static

static

3

Secur.exe

windows7-x64

Secur.exe

windows10-2004-x64

Sharing

General

Target

Secur.exe
Size

531KB
Sample

231124-b41j1afc4x
MD5

a544d2c23c55904dbf0f0190f42eaac6
SHA1

e9d920e5400b36562dfe81b900b99d35b70576b9
SHA256

138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a
SHA512

21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5
SSDEEP

12288:fz9JHhp3l7Nt0P78PyCp3qkxD+XYaVikoSG6s7XuwMefn:fzXtNeP7v6XZMYackkX/

Score

10^/10

amadey discovery spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Secur.exe

Resource

win7-20231023-en

windows7-x64

10 signatures

120 seconds

Behavioral task

behavioral2

Sample

Secur.exe

Resource

win10v2004-20231020-en

amadey discovery spyware stealer trojan

windows10-2004-x64

15 signatures

120 seconds

Malware Config

Extracted

Family

amadey

Version

4.12

C2

http://brodoyouevenlift.co.za

Attributes

install_dir
ce3eb8f6b2
install_file
Utsysc.exe
strings_key
c5b804d7b4c8a99f5afb89e5203cf3ba
url_paths
/g9sdjScV2/index.php

/vdhe8ejs3/index.php

rc4.plain

Targets

- Target
  
  Secur.exe
- Size
  
  531KB
- MD5
  
  a544d2c23c55904dbf0f0190f42eaac6
- SHA1
  
  e9d920e5400b36562dfe81b900b99d35b70576b9
- SHA256
  
  138b791bb04c3073e3e752fdcf5bc5490c4169e9f553954b025aab8414c4589a
- SHA512
  
  21d50d0239326ced64c8c294f53fd58fe715c3f38550b151117786b1201997e899414fefc3734fc139502d27b81c36c64d07dc64305ead24b80ac9646f114ac5
- SSDEEP
  
  12288:fz9JHhp3l7Nt0P78PyCp3qkxD+XYaVikoSG6s7XuwMefn:fzXtNeP7v6XZMYackkX/
Score

10^/10

amadey trojan discovery spyware stealer
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

amadeydiscoveryspywarestealertrojan

© 2018-2024

Terms | Privacy