amadey | 4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d | Triage

Submit
Reports

Overview

overview

Static

static

3

abaf1e6e0c...05.exe

windows7-x64

abaf1e6e0c...05.exe

windows10-2004-x64

Sharing

General

Target

abaf1e6e0cadc624156319232e349005.exe
Size

2.6MB
Sample

240330-jle5cabc3t
MD5

abaf1e6e0cadc624156319232e349005
SHA1

cd856459027e73b316e0998d0ed9823dcc3b272a
SHA256

4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
SHA512

c1cd273e818418effad7eb2f7116ea9cfcb8ac125cf66586bdabf2f9e542b90d1609c3e18f74898684f71d3d32dcd20de0aa91df4176d13f0427b112e2de824e
SSDEEP

49152:KefMkcNeKO0lRR85uZ+C8X0muID5V8LJsnjP3QJop:xRQeKvlTgEm32JsjPgJop

Score

10^/10

amadey zgrat persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

abaf1e6e0cadc624156319232e349005.exe

Resource

win7-20240221-en

zgrat persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

abaf1e6e0cadc624156319232e349005.exe

Resource

win10v2004-20240226-en

amadey zgrat persistence rat trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

amadey

Version

4.19

C2

http://cjware.ru

Attributes

install_dir
4efe87c1c6
install_file
Dctooux.exe
strings_key
87e08e870e5f32be144db33e0903ffa2
url_paths
/scrubspoof/index.php

rc4.plain

Targets

- Target
  
  abaf1e6e0cadc624156319232e349005.exe
- Size
  
  2.6MB
- MD5
  
  abaf1e6e0cadc624156319232e349005
- SHA1
  
  cd856459027e73b316e0998d0ed9823dcc3b272a
- SHA256
  
  4bf50d078ab6f3cff117e42e77edf162d0ee9778993b585824157993c45c901d
- SHA512
  
  c1cd273e818418effad7eb2f7116ea9cfcb8ac125cf66586bdabf2f9e542b90d1609c3e18f74898684f71d3d32dcd20de0aa91df4176d13f0427b112e2de824e
- SSDEEP
  
  49152:KefMkcNeKO0lRR85uZ+C8X0muID5V8LJsnjP3QJop:xRQeKvlTgEm32JsjPgJop
Score

10^/10

zgrat persistence rat amadey trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect ZGRat V1
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

zgratpersistencerat

behavioral2

amadeyzgratpersistencerattrojan

© 2018-2024

Terms | Privacy