amadey | 4078918043613a0ca03b117d29263f67a09477e6bab9d624453051d702065eb4 | Triage

Sharing

General

Target

e0fa46dcdfa93a3769a567a1498742d7.exe
Size

1.2MB
Sample

241031-1bawbavphl
MD5

e0fa46dcdfa93a3769a567a1498742d7
SHA1

ee175a77cd109dd569630f70191a3f99205f6b51
SHA256

4078918043613a0ca03b117d29263f67a09477e6bab9d624453051d702065eb4
SHA512

9596c6d645839e3cf5f8edadbcfcb8102e40de6acd3f77d0e72eb15bcd727444a601a7e31eb17bc2bf61a8b35d29666bc58e2083258bb136c105aa2867b20e97
SSDEEP

24576:Bjd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1HhHAO:BABHjh2OZ80ZzHIF85D

Score

10^/10

amadey c15c21 credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

c15c21

C2

http://45.93.20.135

Attributes

strings_key
5f9278bece2d0777966f092ec032e601
url_paths
/5nDshOg3cwA/index.php

rc4.plain

Targets

- Target
  
  e0fa46dcdfa93a3769a567a1498742d7.exe
- Size
  
  1.2MB
- MD5
  
  e0fa46dcdfa93a3769a567a1498742d7
- SHA1
  
  ee175a77cd109dd569630f70191a3f99205f6b51
- SHA256
  
  4078918043613a0ca03b117d29263f67a09477e6bab9d624453051d702065eb4
- SHA512
  
  9596c6d645839e3cf5f8edadbcfcb8102e40de6acd3f77d0e72eb15bcd727444a601a7e31eb17bc2bf61a8b35d29666bc58e2083258bb136c105aa2867b20e97
- SSDEEP
  
  24576:Bjd+7fzBMqZjh2sntUcCy8LfunZzW8IFHcDVh1HhHAO:BABHjh2OZ80ZzHIF85D
Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer
- Blocklisted process makes network request
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

behavioral2

credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer