General

  • Target

    Launcher.exe

  • Size

    364KB

  • Sample

    240329-r9vtpsah3s

  • MD5

    93fde4e38a84c83af842f73b176ab8dc

  • SHA1

    e8c55cc160a0a94e404f544b22e38511b9d71da8

  • SHA256

    fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

  • SHA512

    48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

  • SSDEEP

    6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Malware Config

Extracted

Family

amadey

Version

4.19

C2

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes
  • install_dir

    b4e248fdbd

  • install_file

    Dctooux.exe

  • strings_key

    01edd7c913096383774168b5aeebc95e

  • url_paths

    /hb9IvshS/index.php

    /hb9IvshS2/index.php

    /hb9IvshS3/index.php

rc4.plain

Targets

    • Target

      Launcher.exe

    • Size

      364KB

    • MD5

      93fde4e38a84c83af842f73b176ab8dc

    • SHA1

      e8c55cc160a0a94e404f544b22e38511b9d71da8

    • SHA256

      fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

    • SHA512

      48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

    • SSDEEP

      6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Command and Control

Web Service

1
T1102

Tasks