Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    481KB

  • Sample

    240813-xw29hs1ere

  • MD5

    f9a4f6684d1bf48406a42921aebc1596

  • SHA1

    c9186ff53de4724ede20c6485136b4b2072bb6a6

  • SHA256

    e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

  • SHA512

    67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd

  • SSDEEP

    12288:UHdftnB3Zp+52J9+62HHLhJ3er8XSwW0:UNz3ZwwJ9+7HFnXP

Score
10/10
amadeycd33f9credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

cd33f9

C2

http://193.176.158.185

Attributes
  • install_dir

    fed0c9a4d3

  • install_file

    Hkbsse.exe

  • strings_key

    a2163aef710017f5548e7e730af53cca

  • url_paths

    /B0kf3CbAbR/index.php

rc4.plain

Targets

    • Target

      file.exe

    • Size

      481KB

    • MD5

      f9a4f6684d1bf48406a42921aebc1596

    • SHA1

      c9186ff53de4724ede20c6485136b4b2072bb6a6

    • SHA256

      e0a051f93d4c1e81cc142181d14249e246be4c169645d667267134b664e75042

    • SHA512

      67294a47dfef6aba404939497c403f93318841e9c5ee28b706f7506b5dff2630381e28e86f6dcbfdff2427092a515db1dc0a04e334e7f8de8b0b682269ff88fd

    • SSDEEP

      12288:UHdftnB3Zp+52J9+62HHLhJ3er8XSwW0:UNz3ZwwJ9+7HFnXP

    Score
    10/10
    amadeycd33f9credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks