Overview

overview

10

Static

static

3

3189c4ee9a...d7.exe

windows7-x64

10

3189c4ee9a...d7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

  • Size

    309KB

  • Sample

    231129-j7ytksfa9v

  • MD5

    cec474126d3b1647dc4b610e4e674b0c

  • SHA1

    9289805256ae15da939bdb08d034e2f2533402d0

  • SHA256

    f1d0a44fff4e265f76fdfc8b585bfbe54b4662a0edb951d9566f279f2f181f0f

  • SHA512

    ab6015eb6e399fab97b1bd693f0c5f5a4500369d0eda919761cf53e0ab5b7b3e1d550eb3ea8924bf6fab620e581c885e6a9c5c0c99a69bf0388bd2f33df6dd4a

  • SSDEEP

    6144:cmcjVJM0o918MWWhUodIXbld/0d57bodK7i2sfFmxDRWHP+L6s:cm0Vyt1880ZFM5JS2RQGN

Score
10/10
amadeyspywarestealertrojan

Malware Config

Extracted

Family

amadey

C2

http://arrunda.ru

http://soetegem.com

http://tceducn.com
Attributes
  • strings_key

    eb714cabd2548b4a03c45f723f838bdc

  • url_paths

    /forum/index.php

rc4.plain

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com
Attributes
  • install_dir

    d4dd819322

  • install_file

    Utsysc.exe

  • strings_key

    8419b3024d6f72beef8af6915e592308

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

    • Size

      438KB

    • MD5

      0212113ffcbcd270155711883c54aead

    • SHA1

      d4cd2cf05cdf3860b64935f19a992f54323c941c

    • SHA256

      3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

    • SHA512

      f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f

    • SSDEEP

      6144:Qm7ibXH2MT4Ju30WA/ySjIFbld/0d55bodKli2sfFaxDtWHP+vfKYhkp:Qh0Jy0WGTjAZFM5NSutQrYa

    Score
    10/10
    amadeyspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks