amadey | 65a0a2b57b7a587cabaeee39e03cfe6639c8bfe727eea06062123a84fd1e55e0 | Triage

Sharing

General

Target

285e3fe042f687b463de137779ecb33d.bin
Size

1019B
Sample

240319-bsdk4ade87
MD5

ac0716a48beae0b886c1f9523cff8660
SHA1

c82b15d9fcc9a5ff04288d42688956ed6712cedf
SHA256

65a0a2b57b7a587cabaeee39e03cfe6639c8bfe727eea06062123a84fd1e55e0
SHA512

2e7513277e0bb080b59f7972c28a5203c948f10f5ad4bf7dfedf24848e4aaf9a227cdcc89fc835c32dd55df5bc02a827b3bc6cafb21db122ecf856d344302303

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://92.246.138.48/qqeng

Extracted

Language

hta

Source

URLs

hta.dropper

http://92.246.138.48/qqeng

Extracted

Family

amadey

Version

4.18

Attributes

install_dir
154561dcbf
install_file
Dctooux.exe
strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

Attributes

strings_key
2cd47fa043c815e1a033c67832f3c6a5
url_paths
/j4Fvskd3/index.php

rc4.plain

Targets

- Target
  
  9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b.lnk
- Size
  
  1KB
- MD5
  
  285e3fe042f687b463de137779ecb33d
- SHA1
  
  8b3aa13104920abc0eef34d720058f9ac120a680
- SHA256
  
  9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b
- SHA512
  
  9f0aebf5fb225623e8a9f2e7ecf7bed5b5a44b6c78076b1b4551e1e3ed73e8ebc8dbd276c4d07c2aa4b665273c26b3bdffd839252ca82f1e5f6e4b94a69e4e04
Score

10^/10

amadey spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

amadeyspywarestealertrojan