amadey | add08792bf25ce03eb1d80e9b891670043cd07506dbbf384481eff58f94d60c6 | Triage

Sharing

General

Target

f5d7b79ee6b6da6b50e536030bcc3b59.bin
Size

207KB
Sample

240915-cb4avszdkg
MD5

125af840339cfd6e8b8a671bf4b50be7
SHA1

d19cf845b3479095433e6b4d60dca9b704029578
SHA256

add08792bf25ce03eb1d80e9b891670043cd07506dbbf384481eff58f94d60c6
SHA512

4c75f35c743f95ffb6862d5cd48c53fdcdf12ba514c0eee4ecd5a7fdd4b6743cc679f4296df11712599af45c25863fc753d91bbf8f13e31305ab3d41ea35d6a1
SSDEEP

3072:w7Ke6x9vqdJEFNK73MzjsovDkimVu4dlxocWtKaj1X7zDnLY0MY3Ap2souv01km:bVxBaozmV/dboJ5ZLnMGAEsouv0N

Score

10^/10

amadey ec08f7 discovery

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

ec08f7

C2

http://185.215.113.26

Attributes

install_dir
054fdc5f70
install_file
Hkbsse.exe
strings_key
783c46f70668d3eed42e83c9f00fc0f5
url_paths
/Dem7kTu/index.php

rc4.plain

Targets

- Target
  
  2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459.exe
- Size
  
  416KB
- MD5
  
  f5d7b79ee6b6da6b50e536030bcc3b59
- SHA1
  
  751b555a8eede96d55395290f60adc43b28ba5e2
- SHA256
  
  2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
- SHA512
  
  532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
- SSDEEP
  
  12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2