General

  • Target

    60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

  • Size

    1MB

  • Sample

    231203-2fcq5sfg61

  • MD5

    28995fd2b7e5c574cd5c910d2f1fa923

  • SHA1

    38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

  • SHA256

    60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

  • SHA512

    ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

  • SSDEEP

    24576:CIf0vEXsfmUSIPhLNdG0LwXtvhJmyNDnG:xfWtdPzdG0UU

Malware Config

Extracted

Family

amadey

C2

http://185.196.8.195

http://brodoyouevenlift.co.za

Attributes
  • strings_key

    f7f36516fd699a26f0da3d64fdf9988f

  • url_paths

    /u6vhSc3PPq/index.php

    /jjuhhsa73/index.php

    /k92lsA3dpb/index.php

rc4.plain

Targets

    • Target

      60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

    • Size

      1MB

    • MD5

      28995fd2b7e5c574cd5c910d2f1fa923

    • SHA1

      38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

    • SHA256

      60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

    • SHA512

      ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

    • SSDEEP

      24576:CIf0vEXsfmUSIPhLNdG0LwXtvhJmyNDnG:xfWtdPzdG0UU

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect PureLogs payload

    • Detect ZGRat V1

    • PureLogs

      PureLogs is an infostealer written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

1
T1012

Tasks