Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d6e85f8f8bbb3658c913fecae98e11df.bin.exe

  • Size

    430KB

  • Sample

    240307-k8bwwaga53

  • MD5

    d6e85f8f8bbb3658c913fecae98e11df

  • SHA1

    3d379cf7ecc2bdd9bc7786dd2821259df11dcd2e

  • SHA256

    fe85fdd0e4c5a86d58cbba30c1888ac5e519f08742abf3577ee5a8f17a676f2b

  • SHA512

    238fd34cf07e629ebf8b067dde8beb3c2e46c9eaa14d21945ba7bf40bb78a1abda8a037ecd10d33eb71612a8f04ad58d6d9d31db6c064d3e7b6b38a565b7403d

  • SSDEEP

    6144:Og0WT0YEHKty4vKl+xh5i4jiywKTb4Z6qW9DgPhVqa:OFWTSKty4S8h5i42dKn4c9D7

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes
  • install_dir

    154561dcbf

  • install_file

    Dctooux.exe

  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Targets

    • Target

      d6e85f8f8bbb3658c913fecae98e11df.bin.exe

    • Size

      430KB

    • MD5

      d6e85f8f8bbb3658c913fecae98e11df

    • SHA1

      3d379cf7ecc2bdd9bc7786dd2821259df11dcd2e

    • SHA256

      fe85fdd0e4c5a86d58cbba30c1888ac5e519f08742abf3577ee5a8f17a676f2b

    • SHA512

      238fd34cf07e629ebf8b067dde8beb3c2e46c9eaa14d21945ba7bf40bb78a1abda8a037ecd10d33eb71612a8f04ad58d6d9d31db6c064d3e7b6b38a565b7403d

    • SSDEEP

      6144:Og0WT0YEHKty4vKl+xh5i4jiywKTb4Z6qW9DgPhVqa:OFWTSKty4S8h5i42dKn4c9D7

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks