amadey | 1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4 | Triage

Submit
Reports

Overview

overview

Static

static

3

winprofile

windows7-x64

7

winprofile

windows10-1703-x64

Sharing

General

Target

1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4
Size

9.2MB
Sample

240325-fga32sgd89
MD5

6ff07f91eec875d0a044c73d4ad89b66
SHA1

7a9fe53800e419a027e899e84da5037f80bcb942
SHA256

1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4
SHA512

8f249f8362aa93696a8c75e46c4ace222198cd52cfec1abe5b5d19e1257e610228d15ff36628cd9ab0a9202b27c6380de48e6aa09605d795b4bdcee42e5c0953
SSDEEP

196608:O+yBLycnfg7zk5nOz9UToMWnYuz1gZgc1nyDWeyHy:ug7zk5n4MWnYuR6gcMDWPS

Score

10^/10

amadey zgrat persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4.exe

Resource

win7-20240221-en

windows7-x64

4 signatures

300 seconds

Behavioral task

behavioral2

Sample

1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4.exe

Resource

win10-20240221-en

amadey zgrat persistence rat trojan

windows10-1703-x64

14 signatures

300 seconds

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://ruspyc.top

Attributes

install_dir
5027aaabaf
install_file
Dctooux.exe
strings_key
ea32980f4b5f2367967b03fa80659f80
url_paths
/j4Fvskd3/index.php

rc4.plain

Targets

- Target
  
  1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4
- Size
  
  9.2MB
- MD5
  
  6ff07f91eec875d0a044c73d4ad89b66
- SHA1
  
  7a9fe53800e419a027e899e84da5037f80bcb942
- SHA256
  
  1f8867ada4ccbaf5d2d673607a54d043af5702083884050d58bc4349ca6bf9d4
- SHA512
  
  8f249f8362aa93696a8c75e46c4ace222198cd52cfec1abe5b5d19e1257e610228d15ff36628cd9ab0a9202b27c6380de48e6aa09605d795b4bdcee42e5c0953
- SSDEEP
  
  196608:O+yBLycnfg7zk5nOz9UToMWnYuz1gZgc1nyDWeyHy:ug7zk5n4MWnYuR6gcMDWPS
Score

10^/10

amadey zgrat persistence rat trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

amadeyzgratpersistencerattrojan

© 2018-2024

Terms | Privacy