Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    285e3fe042f687b463de137779ecb33d.bin

  • Size

    1019B

  • Sample

    240319-bsdk4ade87

  • MD5

    ac0716a48beae0b886c1f9523cff8660

  • SHA1

    c82b15d9fcc9a5ff04288d42688956ed6712cedf

  • SHA256

    65a0a2b57b7a587cabaeee39e03cfe6639c8bfe727eea06062123a84fd1e55e0

  • SHA512

    2e7513277e0bb080b59f7972c28a5203c948f10f5ad4bf7dfedf24848e4aaf9a227cdcc89fc835c32dd55df5bc02a827b3bc6cafb21db122ecf856d344302303

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://92.246.138.48/qqeng

Extracted

Language
hta
Source
URLs
hta.dropper

http://92.246.138.48/qqeng

Extracted

Family

amadey

Version

4.18

Attributes
  • install_dir

    154561dcbf

  • install_file

    Dctooux.exe

  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

Attributes
  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Targets

    • Target

      9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b.lnk

    • Size

      1KB

    • MD5

      285e3fe042f687b463de137779ecb33d

    • SHA1

      8b3aa13104920abc0eef34d720058f9ac120a680

    • SHA256

      9117d5485e8365053ebc055eec3a439df927985113bf15f4607daf7bc04c5b7b

    • SHA512

      9f0aebf5fb225623e8a9f2e7ecf7bed5b5a44b6c78076b1b4551e1e3ed73e8ebc8dbd276c4d07c2aa4b665273c26b3bdffd839252ca82f1e5f6e4b94a69e4e04

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks