Overview

overview

10

Static

static

3

468033c2e6...5c.exe

windows7-x64

10

468033c2e6...5c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    468033c2e6a98660cda4376fa7b2b95c.exe

  • Size

    436KB

  • Sample

    231127-sqrhlshd5v

  • MD5

    468033c2e6a98660cda4376fa7b2b95c

  • SHA1

    340529da72ad4aad5896cfdbd49d293028eb96d5

  • SHA256

    b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

  • SHA512

    25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

  • SSDEEP

    6144:KCS/nm7QpasI425Jyuu2LwKAFqfKxyiM0MxYhLcgvR:KCmsQpiufqfqTS

Score
10/10
amadeyspywarestealertrojan

Malware Config

Extracted

Family

amadey

C2

http://arrunda.ru

http://soetegem.com

http://tceducn.com
Attributes
  • strings_key

    eb714cabd2548b4a03c45f723f838bdc

  • url_paths

    /forum/index.php

rc4.plain

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com
Attributes
  • install_dir

    d4dd819322

  • install_file

    Utsysc.exe

  • strings_key

    8419b3024d6f72beef8af6915e592308

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      468033c2e6a98660cda4376fa7b2b95c.exe

    • Size

      436KB

    • MD5

      468033c2e6a98660cda4376fa7b2b95c

    • SHA1

      340529da72ad4aad5896cfdbd49d293028eb96d5

    • SHA256

      b70d16a1fda7970ec06e9250b6215062d4a77b7c3bf52a75195ba8cce285643b

    • SHA512

      25581dcb6f731eccece7604b0d5410c356144b6886e8a344fd6891ec9544994e8279ee35d5b8f7f1cc7911cd7073f4ef6917ffb820effc48b4bb0af6f0318342

    • SSDEEP

      6144:KCS/nm7QpasI425Jyuu2LwKAFqfKxyiM0MxYhLcgvR:KCmsQpiufqfqTS

    Score
    10/10
    amadeyspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks