amadey

General

Target

0580aef848b294e9276d99f5d8303770159034581f2fbf954eba4d16a573bdd4.exe
Size

1.9MB
Sample

240819-bemlvavgma
MD5

d4cb8ddfbe013e37df87098b7d46d25f
SHA1

62f89bcee4ba4f713aaf51c7ec2c78694c2123a3
SHA256

0580aef848b294e9276d99f5d8303770159034581f2fbf954eba4d16a573bdd4
SHA512

64968912102d26d37f89dbeafa22aea1f7883566de80fdc8c8b6064de30c70fa23437cea4dfa7214d0cd11ff845a3d9695a4a78fdf7814c0ba0929f0e8b38147
SSDEEP

24576:5b2vvKOE5wz2W/KxJysfVeKh1hTbLH4NdYAaQGfxisW5V5Fdml8K1aTo+IPX5TdX:leG5wzzwKKRT0rex65J8lCbDoMHKGKi

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

c7817d

C2

http://31.41.244.10

Attributes

install_dir
0e8d0864aa
install_file
svoutse.exe
strings_key
5481b88a6ef75bcf21333988a4e47048
url_paths
/Dem7kTu/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

C2

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes

url_path
/e2b1563c6670f193.php

Targets

- Target
  
  0580aef848b294e9276d99f5d8303770159034581f2fbf954eba4d16a573bdd4.exe
- Size
  
  1.9MB
- MD5
  
  d4cb8ddfbe013e37df87098b7d46d25f
- SHA1
  
  62f89bcee4ba4f713aaf51c7ec2c78694c2123a3
- SHA256
  
  0580aef848b294e9276d99f5d8303770159034581f2fbf954eba4d16a573bdd4
- SHA512
  
  64968912102d26d37f89dbeafa22aea1f7883566de80fdc8c8b6064de30c70fa23437cea4dfa7214d0cd11ff845a3d9695a4a78fdf7814c0ba0929f0e8b38147
- SSDEEP
  
  24576:5b2vvKOE5wz2W/KxJysfVeKh1hTbLH4NdYAaQGfxisW5V5Fdml8K1aTo+IPX5TdX:leG5wzzwKKRT0rex65J8lCbDoMHKGKi
Score

10^/10

amadey stealc c7817d kora nord credential_access discovery evasion persistence stealer trojan spyware
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2