General
-
Target
be331c725bb8691b4cdc441bff8dac6138ad5498f48177691ce311a08a3a1b81.exe
-
Size
411KB
-
Sample
240322-dvgrmsaa8x
-
MD5
cb0abfec359d8dbf934857d9448c898a
-
SHA1
51a64cf93eee96dd1b885e51f363e86acd2ff98b
-
SHA256
be331c725bb8691b4cdc441bff8dac6138ad5498f48177691ce311a08a3a1b81
-
SHA512
ea5dd2d297f5b98e1f73bbfc782421241ea1205c411f017841d64a9e60774c010187188e48481cbe2c37868cff033664f24f38371dd3ef9951b5a94ef35313a3
-
SSDEEP
6144:Pm6VY1xewHVboL706awaWqgIorlzanEcD2pStdHFIm09r8wuOXzbHszA:u6VY1xxK7X/aWIgzxvpSFm93/iA
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Targets
-
-
Target
be331c725bb8691b4cdc441bff8dac6138ad5498f48177691ce311a08a3a1b81.exe
-
Size
411KB
-
MD5
cb0abfec359d8dbf934857d9448c898a
-
SHA1
51a64cf93eee96dd1b885e51f363e86acd2ff98b
-
SHA256
be331c725bb8691b4cdc441bff8dac6138ad5498f48177691ce311a08a3a1b81
-
SHA512
ea5dd2d297f5b98e1f73bbfc782421241ea1205c411f017841d64a9e60774c010187188e48481cbe2c37868cff033664f24f38371dd3ef9951b5a94ef35313a3
-
SSDEEP
6144:Pm6VY1xewHVboL706awaWqgIorlzanEcD2pStdHFIm09r8wuOXzbHszA:u6VY1xxK7X/aWIgzxvpSFm93/iA
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-