Overview

overview

10

Static

static

3

48bcf2b8e6...9e.exe

windows7-x64

10

48bcf2b8e6...9e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.zip

  • Size

    299KB

  • Sample

    231125-lgghqahg37

  • MD5

    c73ffb2688d792c3411d403cd831425f

  • SHA1

    c4eea6f540e120a82892004a41baeeb9b33bf357

  • SHA256

    83aa7b6fd971fe439e866d69e74de44d98130a4b065bc9b119b758df21fa5fa3

  • SHA512

    c62cc811c633d8c7210214a1ece829f4f651741d8f22d1ef687cd60b0a30551c343b7c6bff6b0630c764cc7f80de13b7448156af69a5a2d796c5b7c9de304334

  • SSDEEP

    6144:+44pvfKw+kz05GDEu1k5i13Dtvkdb3rNfWZkMlpB/MFKwG:+HvfKw+kY5GDEu1Yi1xvibtC0XG

Score
10/10
amadeyspywarestealertrojan

Malware Config

Extracted

Family

amadey

C2

http://arrunda.ru

http://soetegem.com

http://tceducn.com
Attributes
  • strings_key

    eb714cabd2548b4a03c45f723f838bdc

  • url_paths

    /forum/index.php

rc4.plain

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com
Attributes
  • install_dir

    d4dd819322

  • install_file

    Utsysc.exe

  • strings_key

    8419b3024d6f72beef8af6915e592308

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe

    • Size

      389KB

    • MD5

      06db095ad745f4d74172f4fba8f3627b

    • SHA1

      ca7b62c845365ba6b89293c58b765ae6e583574f

    • SHA256

      48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e

    • SHA512

      394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207

    • SSDEEP

      6144:QBILQwvGEKYPrXiR8vXkQlJIX6nIFI9he4jy1JKSH:QBI8wuXCXiRclJ5x9hly1x

    Score
    10/10
    amadeyspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks