amadey | 4d4bf11482e87684166242e19f547b4c11aff999eeb858b9d5c8599e57048346 | Triage

Sharing

General

Target

eafccb8a097ebfd717b810a6174522e00037957c2deb8681a76c461ad572b47a
Size

294KB
Sample

231127-a6ngsadd29
MD5

31f4c883ea0219b2e5733fe0e146fa2b
SHA1

0b3ee55545685b61a694ab74c4cdf41846b3d3ef
SHA256

4d4bf11482e87684166242e19f547b4c11aff999eeb858b9d5c8599e57048346
SHA512

7f16d1477d1b0e11fe5bb4a71ec27e1f8b85f4ceea1ee9d3a35286249551db6c6facf9585746a07ac21ad5a5f12329df49c8a593d0329902658153696a23b1e5
SSDEEP

6144:NVROd9z7JLzxyXW1UhirSQpK/VkuccJhQ6JkhxKEmmL:NV0d9zNLzxAoUWLcTLJ4xKEb

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

C2

http://arrunda.ru

http://soetegem.com

http://tceducn.com

Attributes

strings_key
eb714cabd2548b4a03c45f723f838bdc
url_paths
/forum/index.php

rc4.plain

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Targets

- Target
  
  eafccb8a097ebfd717b810a6174522e00037957c2deb8681a76c461ad572b47a
- Size
  
  422KB
- MD5
  
  5a8beeebeb73ccf8f1cc295052b5c45a
- SHA1
  
  9fc73805f46e9bbeb02e26c3bda381f47956751e
- SHA256
  
  eafccb8a097ebfd717b810a6174522e00037957c2deb8681a76c461ad572b47a
- SHA512
  
  13b57e7624b4512f8c46dd46ec4582583e81ef338d508c96ad866bbd452f25a1fd1d08d4ab53354278bc3bf0bdc5d752db6cbe13df1e3fcd1a0fb4be796f71a0
- SSDEEP
  
  6144:tUHzd9/7JLzLyXW1UhiDSQpKRVkuc2JhQ6JJLML6mR:tUHzd9/NLzLAoU4z2TLJJLM
Score

10^/10

amadey spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyspywarestealertrojan

behavioral2

amadeyspywarestealertrojan