General

  • Target

    97e7d7f8bb1d6ca1132c4e5c3f6f178a10c77c30f03c56773a062fb5fc266b06

  • Size

    486KB

  • Sample

    240620-kh8g6aselj

  • MD5

    64d4f83323d2a7e3b838e3ccb3f756ac

  • SHA1

    277652c5492c396e8ee93f88de21aa018bf67420

  • SHA256

    97e7d7f8bb1d6ca1132c4e5c3f6f178a10c77c30f03c56773a062fb5fc266b06

  • SHA512

    291892121476036fdc6cc75c3bd4fe0e5145fc242bd1b43cb4c9b9822c878945341e9aebb91b263e372bb5ff7c0400e2db07cec56fd9504dee1e81971d5d122e

  • SSDEEP

    6144:REULSLEMJvNmnV70/uUpDaIrKhNcIU3sxIkNbi1N9I47fQoQf:rmLEMJ1CVUPMcIAqi1N9I

Score
10/10

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

9a3efc

C2

http://check-ftp.ru

Attributes
  • install_dir

    b9695770f1

  • install_file

    Dctooux.exe

  • strings_key

    1d3a0f2941c4060dba7f23a378474944

  • url_paths

    /forum/index.php

rc4.plain

Targets

    • Target

      97e7d7f8bb1d6ca1132c4e5c3f6f178a10c77c30f03c56773a062fb5fc266b06

    • Size

      486KB

    • MD5

      64d4f83323d2a7e3b838e3ccb3f756ac

    • SHA1

      277652c5492c396e8ee93f88de21aa018bf67420

    • SHA256

      97e7d7f8bb1d6ca1132c4e5c3f6f178a10c77c30f03c56773a062fb5fc266b06

    • SHA512

      291892121476036fdc6cc75c3bd4fe0e5145fc242bd1b43cb4c9b9822c878945341e9aebb91b263e372bb5ff7c0400e2db07cec56fd9504dee1e81971d5d122e

    • SSDEEP

      6144:REULSLEMJvNmnV70/uUpDaIrKhNcIU3sxIkNbi1N9I47fQoQf:rmLEMJ1CVUPMcIAqi1N9I

    Score
    10/10
    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks