General

  • Target

    dda14413450a11f336a8305cf274943d614905c3429d4f0efeffe6bf4b8b7bdc

  • Size

    881KB

  • Sample

    240913-ssshpawaqf

  • MD5

    7ff8d31ad43f62f1c6876b725a1ebb1f

  • SHA1

    e23baf502bf5b2eb81fea0a2e570e7ade8998bee

  • SHA256

    dda14413450a11f336a8305cf274943d614905c3429d4f0efeffe6bf4b8b7bdc

  • SHA512

    b1afbd5ed92933ffa1a1add1b5b8cc581c7361d8106fed20a8aee1493af7a0279b27e4220515d39e4f5640df43309aa40073750f9e232438cc5f7a561273a9c6

  • SSDEEP

    12288:yykcN4NEaT6082MQxzgoOnAlUiQNd83MBBPXyyg1/UgGc3G4af3ENPNBAIhH6oRt:vkckET92MAs8oNvLKBU5l4iCsWvVbGo

Malware Config

Extracted

Family

amadey

Version

2.03

Botnet

044a28

Attributes
  • install_dir

    3101f8f780

  • install_file

    gbudn.exe

  • strings_key

    98efc0765f4c223e79368db4c8650353

  • url_paths

    /hfv23svj2/index.php

rc4.plain
1
16c3fb93d2b0672925c4b06a6c52be95

Targets

    • Target

      0468127a19daf4c7bc41015c5640fe1f

    • Size

      121KB

    • MD5

      0468127a19daf4c7bc41015c5640fe1f

    • SHA1

      133877dd043578a2e9cbe1a4bf60259894288afa

    • SHA256

      dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9

    • SHA512

      39cec4cdc9e2b02923513a3f1bc3ac086b0598df77c7029493a810dfbe40c946fa62905d1dcb80aba87c9e74677aac893108faa94e027c261aff7d388bbdcdfc

    • SSDEEP

      3072:5HYBf8YzKw/MHfBTU3eiu0B/qIbmuvFT8whrQnFW:5HY70Bou0B/q6IOrQnFW

    Score
    3/10
    • Target

      2a3b92f6180367306d750e59c9b6446b

    • Size

      178KB

    • MD5

      2a3b92f6180367306d750e59c9b6446b

    • SHA1

      95fb90137086c731b84db0a1ce3f0d74d6931534

    • SHA256

      18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

    • SHA512

      c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

    • SSDEEP

      3072:GK0YqBB9mUQ13o2vM2tD81JI0MBkuomh87I3pBSpvVFLm:GnrB9mUWdk26DIquom2dN

    Score
    10/10
    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      b154ac015c0d1d6250032f63c749f9cf

    • Size

      457KB

    • MD5

      b154ac015c0d1d6250032f63c749f9cf

    • SHA1

      c96eab62367bd9efb5e124621d8dc2be7c5a61be

    • SHA256

      f33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060

    • SHA512

      dec37485f6e9e9109fa954d5e024223f555af7c2b12f5c9855aa77b43e97d5e54f4cdc651331eee2c7fcaf0a3fa58bb41222cdb3ce16c84b444ef564e7ce6eeb

    • SSDEEP

      12288:vw4bw/3KjP7bHnREf60JDQJ1MFrhi9PFBVoI+kA3dz+YsM9jMw9pMQH/Nxct+fbN:I4bw/3KjP7bHnREf60JDQJ1MFrhi9PFE

    Score
    8/10
    • Modifies RDP port number used by Windows

    • Target

      b96bd6bbf0e3f4f98b606a2ab5db4a69

    • Size

      330KB

    • MD5

      b96bd6bbf0e3f4f98b606a2ab5db4a69

    • SHA1

      b1d370efd0accfc0850237d9d54b19c5c1bf071d

    • SHA256

      2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6

    • SHA512

      b15e3928fdce6193233c9bf06d979ba5c707144c68abd7a25b976f581f33eaca903f44f564d2d05481915d050e74385196cc61629b8bc5be393ae4c89acd6525

    • SSDEEP

      6144:PEFgPWJh7yd23476SjW2h6al/k5MyF/zq2aqo:sFVJqoQk5FFrWL

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

    • KPOT Core Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Target

      bb8e52face5b076cc890bbfaaf4bb73e

    • Size

      222KB

    • MD5

      bb8e52face5b076cc890bbfaaf4bb73e

    • SHA1

      df430358a2c7eaf3e328a00a6f961ded9428e491

    • SHA256

      5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d

    • SHA512

      f465c12bf336e659608c3a4f1e8e14b0876d28f0ad1a75ffb60c674da9a3535493a7e9357ef6b55f78666418ef9c4f7795aa2840aac0f41d6b53131e353b1a59

    • SSDEEP

      6144:qJ+WK/pvT7arfwKFzDTsv5oaTh45CjBscX9TEGgO:RJpb7Y7vf5i5X9TcO

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      ca467e332368cbae652245faa4978aa4

    • Size

      124KB

    • MD5

      ca467e332368cbae652245faa4978aa4

    • SHA1

      b6477944050fb4014c747c793378792b268ac06b

    • SHA256

      279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d

    • SHA512

      ce514859dd29aab68cc10acf7b2571a4f505b4ae4028f2bb9f733078d1eef6856581df42aa854861d8e7a8c61b01b9c67fd1f5774dd0c388a4ae960530d7f3af

    • SSDEEP

      3072:OeZmogDk+MPedGpqpm2pSBwkXWEfIvgNL2oA29:OeZkgXPppvhfvNS

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Blocklisted process makes network request

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Target

      e93d6f4ce34d4f594d7aed76cfde0fad

    • Size

      1024KB

    • MD5

      e93d6f4ce34d4f594d7aed76cfde0fad

    • SHA1

      786273ccee50c19e5d6f92aac58dbf617c79ec06

    • SHA256

      adeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e

    • SHA512

      f4ed1270e447fe7406f33a0f1580f4789a799e1f1bfbd8303f2e93d7868dc40b9971f13f88513e48340fa90c91cb86d56d998e0d9cfda65ba150add638ebf0c7

    • SSDEEP

      1536:WVieJrIbvUMqCgBKrLDd0GqlMm2+Na4NMRJMZkWKaH6kY+1WrwHNzx7hb3xMc:kie1AUztxKaakY+ksHNl3Mc

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

    • KPOT Core Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Target

      fa5390bbcc4ab768dd81f31eac0950f6

    • Size

      598KB

    • MD5

      fa5390bbcc4ab768dd81f31eac0950f6

    • SHA1

      c7d6151d7831d8b75ae6760c3006de58ae2d05e5

    • SHA256

      587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff

    • SHA512

      867ddbba9144685aafaf90e8dc1b30ea47c8e9bb7eb1b57d8902d15e6cd632f85437e92371bf5f601a00bdf976b4c90739b027ebb48d2a9f8da8b174d618022e

    • SSDEEP

      6144:HHY70Bou0B/q6IwThbCgcGA/siicMSwbSxwepXJRHCQn:H47Bu0B/LIUzBMKQn

    • KPOT

      KPOT is an information stealer that steals user data and account credentials.

    • KPOT Core Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

MITRE ATT&CK Enterprise v15

Tasks

static1

044a28credmoduleamadey
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

amadeydiscoverytrojan
Score
10/10

behavioral4

amadeydiscoverytrojan
Score
10/10

behavioral5

discovery
Score
8/10

behavioral6

discovery
Score
8/10

behavioral7

kpotdiscoverystealertrojan
Score
10/10

behavioral8

kpotdiscoverystealertrojan
Score
10/10

behavioral9

discovery
Score
8/10

behavioral10

discovery
Score
8/10

behavioral11

amadeycollectioncredcredential_accessdiscoverymodulespywarestealertrojan
Score
10/10

behavioral12

collectioncredential_accessdiscoveryspywarestealer
Score
8/10

behavioral13

kpotdiscoverystealertrojan
Score
10/10

behavioral14

kpotdiscoverystealertrojan
Score
10/10

behavioral15

kpotdiscoverystealertrojan
Score
10/10

behavioral16

kpotdiscoverystealertrojan
Score
10/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.