General
-
Target
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
-
Size
436KB
-
Sample
240419-cctstaef4s
-
MD5
f6ee2a295cd2ba584f9a363ade3d55b3
-
SHA1
c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
-
SHA256
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
-
SHA512
7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b
-
SSDEEP
6144:vZLBvj27DEXhnzCaknvrhHq6p5Km/OZ2iqzUhYA0FvYgtv3EagG64/dAdUcgf:hd72YmQ/mWZUzGUvYgt8FGBxcg
Malware Config
Extracted
amadey
4.19
-
install_dir
cbb1d94791
-
install_file
Dctooux.exe
-
strings_key
fcebaf717c71f51f8908b537784e2bee
-
url_paths
/8bjndDcoA3/index.php
Targets
-
-
Target
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
-
Size
436KB
-
MD5
f6ee2a295cd2ba584f9a363ade3d55b3
-
SHA1
c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
-
SHA256
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
-
SHA512
7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b
-
SSDEEP
6144:vZLBvj27DEXhnzCaknvrhHq6p5Km/OZ2iqzUhYA0FvYgtv3EagG64/dAdUcgf:hd72YmQ/mWZUzGUvYgt8FGBxcg
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-