General

  • Target

    9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3

  • Size

    441KB

  • Sample

    240324-wbdvraha3z

  • MD5

    258e294a16170fba05529bcce0263608

  • SHA1

    50cc521dd5b5a9aa0e47870bc6dffa651ea7ae34

  • SHA256

    9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3

  • SHA512

    7f015af852be227e970e27ad2733fd8eaa076795faad34f01f3615656dcc62b3eae72d63fb2930cac8330917ceb843b30fad2e7e9bb34352681691c6e7c8fe3f

  • SSDEEP

    6144:h0h+V80D4cOyLE6lE/AW2BhkFvKwkZ+eXH+wVM21+rmqmvGIF:h++V80DXOn6luAjh+bwVMMd

Malware Config

Extracted

Family

amadey

Version

4.18

Attributes
  • install_dir

    154561dcbf

  • install_file

    Dctooux.exe

  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

Attributes
  • strings_key

    2cd47fa043c815e1a033c67832f3c6a5

  • url_paths

    /j4Fvskd3/index.php

rc4.plain

Targets

    • Target

      9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3

    • Size

      441KB

    • MD5

      258e294a16170fba05529bcce0263608

    • SHA1

      50cc521dd5b5a9aa0e47870bc6dffa651ea7ae34

    • SHA256

      9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3

    • SHA512

      7f015af852be227e970e27ad2733fd8eaa076795faad34f01f3615656dcc62b3eae72d63fb2930cac8330917ceb843b30fad2e7e9bb34352681691c6e7c8fe3f

    • SSDEEP

      6144:h0h+V80D4cOyLE6lE/AW2BhkFvKwkZ+eXH+wVM21+rmqmvGIF:h++V80DXOn6luAjh+bwVMMd

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Enterprise v15

Tasks