amadey

Sharing

Copy URL

Twitter E-mail

General

Target

All.ElectroRAT.zip
Size

881KB
Sample

240913-r39z2svckg
MD5

7ff8d31ad43f62f1c6876b725a1ebb1f
SHA1

e23baf502bf5b2eb81fea0a2e570e7ade8998bee
SHA256

dda14413450a11f336a8305cf274943d614905c3429d4f0efeffe6bf4b8b7bdc
SHA512

b1afbd5ed92933ffa1a1add1b5b8cc581c7361d8106fed20a8aee1493af7a0279b27e4220515d39e4f5640df43309aa40073750f9e232438cc5f7a561273a9c6
SSDEEP

12288:yykcN4NEaT6082MQxzgoOnAlUiQNd83MBBPXyyg1/UgGc3G4af3ENPNBAIhH6oRt:vkckET92MAs8oNvLKBU5l4iCsWvVbGo

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

2.03

Botnet

044a28

Attributes

install_dir
3101f8f780
install_file
gbudn.exe
strings_key
98efc0765f4c223e79368db4c8650353
url_paths
/hfv23svj2/index.php

rc4.plain

Targets

- Target
  
  0468127a19daf4c7bc41015c5640fe1f
- Size
  
  121KB
- MD5
  
  0468127a19daf4c7bc41015c5640fe1f
- SHA1
  
  133877dd043578a2e9cbe1a4bf60259894288afa
- SHA256
  
  dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9
- SHA512
  
  39cec4cdc9e2b02923513a3f1bc3ac086b0598df77c7029493a810dfbe40c946fa62905d1dcb80aba87c9e74677aac893108faa94e027c261aff7d388bbdcdfc
- SSDEEP
  
  3072:5HYBf8YzKw/MHfBTU3eiu0B/qIbmuvFT8whrQnFW:5HY70Bou0B/q6IOrQnFW
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  2a3b92f6180367306d750e59c9b6446b
- Size
  
  178KB
- MD5
  
  2a3b92f6180367306d750e59c9b6446b
- SHA1
  
  95fb90137086c731b84db0a1ce3f0d74d6931534
- SHA256
  
  18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0
- SHA512
  
  c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0
- SSDEEP
  
  3072:GK0YqBB9mUQ13o2vM2tD81JI0MBkuomh87I3pBSpvVFLm:GnrB9mUWdk26DIquom2dN
Score

10^/10

amadey discovery trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  b154ac015c0d1d6250032f63c749f9cf
- Size
  
  457KB
- MD5
  
  b154ac015c0d1d6250032f63c749f9cf
- SHA1
  
  c96eab62367bd9efb5e124621d8dc2be7c5a61be
- SHA256
  
  f33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060
- SHA512
  
  dec37485f6e9e9109fa954d5e024223f555af7c2b12f5c9855aa77b43e97d5e54f4cdc651331eee2c7fcaf0a3fa58bb41222cdb3ce16c84b444ef564e7ce6eeb
- SSDEEP
  
  12288:vw4bw/3KjP7bHnREf60JDQJ1MFrhi9PFBVoI+kA3dz+YsM9jMw9pMQH/Nxct+fbN:I4bw/3KjP7bHnREf60JDQJ1MFrhi9PFE
Score

8^/10

discovery
- Modifies RDP port number used by Windows
behavioral5 behavioral6
- Target
  
  b96bd6bbf0e3f4f98b606a2ab5db4a69
- Size
  
  330KB
- MD5
  
  b96bd6bbf0e3f4f98b606a2ab5db4a69
- SHA1
  
  b1d370efd0accfc0850237d9d54b19c5c1bf071d
- SHA256
  
  2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6
- SHA512
  
  b15e3928fdce6193233c9bf06d979ba5c707144c68abd7a25b976f581f33eaca903f44f564d2d05481915d050e74385196cc61629b8bc5be393ae4c89acd6525
- SSDEEP
  
  6144:PEFgPWJh7yd23476SjW2h6al/k5MyF/zq2aqo:sFVJqoQk5FFrWL
Score

10^/10

kpot discovery stealer trojan
- KPOT
  KPOT is an information stealer that steals user data and account credentials.
  trojan stealer kpot
- KPOT Core Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral7 behavioral8
- Target
  
  bb8e52face5b076cc890bbfaaf4bb73e
- Size
  
  222KB
- MD5
  
  bb8e52face5b076cc890bbfaaf4bb73e
- SHA1
  
  df430358a2c7eaf3e328a00a6f961ded9428e491
- SHA256
  
  5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d
- SHA512
  
  f465c12bf336e659608c3a4f1e8e14b0876d28f0ad1a75ffb60c674da9a3535493a7e9357ef6b55f78666418ef9c4f7795aa2840aac0f41d6b53131e353b1a59
- SSDEEP
  
  6144:qJ+WK/pvT7arfwKFzDTsv5oaTh45CjBscX9TEGgO:RJpb7Y7vf5i5X9TcO
Score

8^/10

discovery
- Blocklisted process makes network request
behavioral10 behavioral9
- Target
  
  ca467e332368cbae652245faa4978aa4
- Size
  
  124KB
- MD5
  
  ca467e332368cbae652245faa4978aa4
- SHA1
  
  b6477944050fb4014c747c793378792b268ac06b
- SHA256
  
  279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d
- SHA512
  
  ce514859dd29aab68cc10acf7b2571a4f505b4ae4028f2bb9f733078d1eef6856581df42aa854861d8e7a8c61b01b9c67fd1f5774dd0c388a4ae960530d7f3af
- SSDEEP
  
  3072:OeZmogDk+MPedGpqpm2pSBwkXWEfIvgNL2oA29:OeZkgXPppvhfvNS
Score

10^/10

collection credential_access discovery spyware stealer amadey cred module trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Amadey credential stealer module
  cred module
- Blocklisted process makes network request
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral11 behavioral12
- Target
  
  e93d6f4ce34d4f594d7aed76cfde0fad
- Size
  
  1024KB
- MD5
  
  e93d6f4ce34d4f594d7aed76cfde0fad
- SHA1
  
  786273ccee50c19e5d6f92aac58dbf617c79ec06
- SHA256
  
  adeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e
- SHA512
  
  f4ed1270e447fe7406f33a0f1580f4789a799e1f1bfbd8303f2e93d7868dc40b9971f13f88513e48340fa90c91cb86d56d998e0d9cfda65ba150add638ebf0c7
- SSDEEP
  
  1536:WVieJrIbvUMqCgBKrLDd0GqlMm2+Na4NMRJMZkWKaH6kY+1WrwHNzx7hb3xMc:kie1AUztxKaakY+ksHNl3Mc
Score

10^/10

kpot discovery stealer trojan
- KPOT
  KPOT is an information stealer that steals user data and account credentials.
  trojan stealer kpot
- KPOT Core Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral13 behavioral14
- Target
  
  fa5390bbcc4ab768dd81f31eac0950f6
- Size
  
  598KB
- MD5
  
  fa5390bbcc4ab768dd81f31eac0950f6
- SHA1
  
  c7d6151d7831d8b75ae6760c3006de58ae2d05e5
- SHA256
  
  587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff
- SHA512
  
  867ddbba9144685aafaf90e8dc1b30ea47c8e9bb7eb1b57d8902d15e6cd632f85437e92371bf5f601a00bdf976b4c90739b027ebb48d2a9f8da8b174d618022e
- SSDEEP
  
  6144:HHY70Bou0B/q6IwThbCgcGA/siicMSwbSxwepXJRHCQn:H47Bu0B/LIUzBMKQn
Score

10^/10

kpot discovery stealer trojan
- KPOT
  KPOT is an information stealer that steals user data and account credentials.
  trojan stealer kpot
- KPOT Core Executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral15 behavioral16