amadey

General

Target

a53a554301475205830875c9f876f132.exe
Size

1.8MB
Sample

241101-zd8dxsverd
MD5

a53a554301475205830875c9f876f132
SHA1

4e7e89c4a4c251b755a0c6549e6385b9e0e21c86
SHA256

03f7b84ec50050cb78882d7d568811f38fdf7586ecf528938d8653829c22cfc0
SHA512

a1e0c21205bcb2a149efa95d43544f8dee2a52a3bccc6036f541cb3d183fd1fea9eacf482e1b862f22d5d4b0e624d1540cc6408682addeea4baae496ef1d481e
SSDEEP

49152:zDuzXANA6q0ltRTdabE2nYGY+kNT1VeToBNe7dKKt:zSDd0lnTdaQeY7d1V3BNe7dKKt

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

C2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

amadey

Version

5.03

Botnet

7c4393

C2

http://185.215.113.217

Attributes

install_dir
f9c76c1660
install_file
corept.exe
strings_key
9808a67f01d2f0720518035acbde7521
url_paths
/CoreOPT/index.php

rc4.plain

Targets

- Target
  
  a53a554301475205830875c9f876f132.exe
- Size
  
  1.8MB
- MD5
  
  a53a554301475205830875c9f876f132
- SHA1
  
  4e7e89c4a4c251b755a0c6549e6385b9e0e21c86
- SHA256
  
  03f7b84ec50050cb78882d7d568811f38fdf7586ecf528938d8653829c22cfc0
- SHA512
  
  a1e0c21205bcb2a149efa95d43544f8dee2a52a3bccc6036f541cb3d183fd1fea9eacf482e1b862f22d5d4b0e624d1540cc6408682addeea4baae496ef1d481e
- SSDEEP
  
  49152:zDuzXANA6q0ltRTdabE2nYGY+kNT1VeToBNe7dKKt:zSDd0lnTdaQeY7d1V3BNe7dKKt
Score

10^/10

amadey stealc 7c4393 default_valenciga fed3aa tale credential_access discovery evasion spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2