amadey

Sharing

Copy URL

Twitter E-mail

General

Target

Temp.zip
Size

22.0MB
Sample

240126-xqjj8acch6
MD5

680b9f05186ea57c3839c00b04e1e92f
SHA1

2b8f4f0938e5e9d52ad9452fc7a5212fd464ea87
SHA256

0ec4dc59bfa704ff0777038d4c747fb42db308bed43f2ad6a681b645d1bfecbd
SHA512

55495dc8ce10490f610518ffd38ad00427ddbe5b0e08e426ed63fe720feab340a84b7df919f884592accbead278ec07a350e177264bd10607352faacb015d15d
SSDEEP

393216:cGoas8p7+A0FK06Goas8p7+A0FK0RVP+36T4nEZlFEHPj5e8tAZBalHiPJrOIVPX:LbsO7t6K0RbsO7t6K0RVP+3G+hVEOIVv

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.172.128.63

Attributes

install_dir
6187fcb526
install_file
Dctooux.exe
strings_key
cd3b2619c9009c441355ae581d53163e
url_paths
/v8sjh3hs8/index.php

rc4.plain

Targets

- Target
  
  2LRS3ODTLG3KRVJA1CCVAQPPFCFWXJL.exe
- Size
  
  4.5MB
- MD5
  
  37bb6dd5e4a0d91aef18c328fee94f89
- SHA1
  
  72c55abc1527c898153631f1e1233c48440d4ddd
- SHA256
  
  9571aa429ecf266de879d8a0e207e4240263e6031adc65293fce003fc8316b57
- SHA512
  
  693a47726692bf6853cc1da84bdb9a72c9fba9167c58ad79cf02df67be4993b9575287de5fe0221349e2be39c83d7d1cec00e4bb445a26ddf1726f9da3feb7da
- SSDEEP
  
  98304:ZfPdaLQlaZm8vWMTEGky215OS870Bh8/eSKl:ZfP8caA8vWYEGkKS870Bh8/eP
Score

10^/10

amadey persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  6G2SZLVHVHUJV21JB2FOVQKM701Z63B.exe
- Size
  
  4.5MB
- MD5
  
  37bb6dd5e4a0d91aef18c328fee94f89
- SHA1
  
  72c55abc1527c898153631f1e1233c48440d4ddd
- SHA256
  
  9571aa429ecf266de879d8a0e207e4240263e6031adc65293fce003fc8316b57
- SHA512
  
  693a47726692bf6853cc1da84bdb9a72c9fba9167c58ad79cf02df67be4993b9575287de5fe0221349e2be39c83d7d1cec00e4bb445a26ddf1726f9da3feb7da
- SSDEEP
  
  98304:ZfPdaLQlaZm8vWMTEGky215OS870Bh8/eSKl:ZfP8caA8vWYEGkKS870Bh8/eP
Score

10^/10

amadey persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  6TS3GUANXW9E1KF8.exe
- Size
  
  5.6MB
- MD5
  
  1a27bd843a09f923661a15300e02d703
- SHA1
  
  5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
- SHA256
  
  8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
- SHA512
  
  330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
- SSDEEP
  
  49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T
Score

10^/10

xmrig zgrat miner rat upx
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  G9NB5XSAH0XAAPCN.exe
- Size
  
  4.1MB
- MD5
  
  5432cd10140f359f17394c8e2340299c
- SHA1
  
  16ad79a097ff19b5089aff81b6bfa1a664affb18
- SHA256
  
  4e3934e65b6c2ea6be580d375f4515edf20643d88b5f83db63d2c0ad70ba0398
- SHA512
  
  05925ee28feb718c1d05216be2f4553b0db27f49aab42ae64559daa22c16b24b7c40de4ae83bd38e81f65173bf9584fbcbe3ad481366688a244e2e7774151f96
- SSDEEP
  
  98304:7ScbaLQaS+m0bcbE+1AZ1bpVDHBz/waoVNVncpH/s6i47:mn50N1AZ1dVLZwaoHxcpfm4
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  PV0HLG9QQ3YXXG1AJAMYRYE08NU.exe
- Size
  
  5.6MB
- MD5
  
  1a27bd843a09f923661a15300e02d703
- SHA1
  
  5cb66b20c4cbda0cd080bb2380034d7da9cc7ce6
- SHA256
  
  8ee36fd8214e1c9c09721d34bc9f28ed327c09bb9b05b70581697d3329e609c1
- SHA512
  
  330a78e0214304d4786d8d2d98905fbff7c530042eac93ea133995661a7432c60a9bb052804598479c461da6bef4bfdbffb8a5e8cd473fd6a96ff0012ceaab05
- SSDEEP
  
  49152:q6orqtRW0jfH4+8MjRJHiEpxxH4vNpQXGp8mih7NUfXUu4tEqNrqcqapPeDkwVzO:foWjZG/Mul2rq/aReDkizMeQU4T
Score

10^/10

xmrig zgrat miner rat upx
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  Protect544cd51a.dll
- Size
  
  742KB
- MD5
  
  544cd51a596619b78e9b54b70088307d
- SHA1
  
  4769ddd2dbc1dc44b758964ed0bd231b85880b65
- SHA256
  
  dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
- SHA512
  
  f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
- SSDEEP
  
  12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
Score

1^/10
behavioral11 behavioral12
- Target
  
  PsExec.exe
- Size
  
  699KB
- MD5
  
  24a648a48741b1ac809e47b9543c6f12
- SHA1
  
  3e2272b916da4be3c120d17490423230ab62c174
- SHA256
  
  078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
- SHA512
  
  b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a
- SSDEEP
  
  12288:LOO6oMlKDdwPDMlkw6Pph0lhSMXle+eO1HK+meynh5yRX3oRG72:LD9McwPDCkw6Bh0lhSMXlemqth5yRX3E
Score

1^/10
behavioral13 behavioral14
- Target
  
  W7W5WFGX1D82S3EIURREUP57O.exe
- Size
  
  4.1MB
- MD5
  
  5432cd10140f359f17394c8e2340299c
- SHA1
  
  16ad79a097ff19b5089aff81b6bfa1a664affb18
- SHA256
  
  4e3934e65b6c2ea6be580d375f4515edf20643d88b5f83db63d2c0ad70ba0398
- SHA512
  
  05925ee28feb718c1d05216be2f4553b0db27f49aab42ae64559daa22c16b24b7c40de4ae83bd38e81f65173bf9584fbcbe3ad481366688a244e2e7774151f96
- SSDEEP
  
  98304:7ScbaLQaS+m0bcbE+1AZ1bpVDHBz/waoVNVncpH/s6i47:mn50N1AZ1dVLZwaoHxcpfm4
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  skz3rpen.kc1.exe
- Size
  
  3KB
- MD5
  
  bc665c443936ecbaccac579b2e336c09
- SHA1
  
  0ec27635b26a2a311568824be2bcad09e0ccd027
- SHA256
  
  1b5b29a86fbab96326253ed97583e699dd7476907418f018486c1abb4ec3aec2
- SHA512
  
  2fee1859a5457d7d7230762eeb23d27db40223fdf793b09e9e704df34c6e4899b60d592c7026219582cd51c431a424eb040937c0ea033d27d9ecec8a630d336f
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Amadey

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Detect ZGRat V1

ZGRat

xmrig

XMRig Miner payload

.NET Reactor proctector

Executes dropped EXE

UPX packed file

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Adds Run key to start application

Suspicious use of SetThreadContext

Detect ZGRat V1

ZGRat

xmrig

XMRig Miner payload

.NET Reactor proctector

Executes dropped EXE

UPX packed file

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18