Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    am.exe

  • Size

    4.2MB

  • Sample

    240519-s6vj7sde86

  • MD5

    dee06456c2cd6367c77d6e665cb292f9

  • SHA1

    33d6677f1e04ab6656b839f354819b249e300787

  • SHA256

    bc5e1a99ef6ace27c7fe4db351f1b09de2d6c7f3dffc9231786786da71191623

  • SHA512

    636e3f72ed4fc97daacc6c048eccff6b1da14784ce712d9639b89420004f7c88a015cefc24c2f27e2f7c0f493b369a44697bc872a43247aeca4aac92d96096e4

  • SSDEEP

    98304:ul6bFlph/8dv6dVdm+wHFx4xSbaAbPVkFtncgy9E0alyttaM3ML:uAbRp8dv6dVdmDHFCS++VkFt2aonM

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

523758

C2

http://theclientisalwaysright.com

Attributes
  • install_dir

    b108e33186

  • install_file

    Dctooux.exe

  • strings_key

    3a99ddd4614527af7e2e996425319c4a

  • url_paths

    /8BvxwQdec3/index.php

rc4.plain

Targets

    • Target

      am.exe

    • Size

      4.2MB

    • MD5

      dee06456c2cd6367c77d6e665cb292f9

    • SHA1

      33d6677f1e04ab6656b839f354819b249e300787

    • SHA256

      bc5e1a99ef6ace27c7fe4db351f1b09de2d6c7f3dffc9231786786da71191623

    • SHA512

      636e3f72ed4fc97daacc6c048eccff6b1da14784ce712d9639b89420004f7c88a015cefc24c2f27e2f7c0f493b369a44697bc872a43247aeca4aac92d96096e4

    • SSDEEP

      98304:ul6bFlph/8dv6dVdm+wHFx4xSbaAbPVkFtncgy9E0alyttaM3ML:uAbRp8dv6dVdmDHFCS++VkFt2aonM

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks