General

  • Target

    cred.dll

  • Size

    1.0MB

  • Sample

    241105-ksq1vsyfpr

  • MD5

    921b0badeaffee860310e6755769337e

  • SHA1

    cfe2dfe5f457383e1723e4423e78620cc9fa8f91

  • SHA256

    c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f

  • SHA512

    2035442326a8e1f9733fef189cd135ce7b2dd22deda62d74e99ffd7eb83413487b91d72dba47f5512e4adcd45998ff5680a4b75342bba4c43d34186eacce1120

  • SSDEEP

    24576:KNFxrUgNQWcPb72kXGWjVcwBlTd8DKT/VSMsCdTzHpgaym9:KNFxogmf2scG1Tzcm9

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

6305e7

C2

http://185.215.113.217

Attributes
  • strings_key

    d8908af61183845bc93b283be7b75129

  • url_paths

    /CoreOPT/index.php

rc4.plain

Targets

    • Target

      cred.dll

    • Size

      1.0MB

    • MD5

      921b0badeaffee860310e6755769337e

    • SHA1

      cfe2dfe5f457383e1723e4423e78620cc9fa8f91

    • SHA256

      c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f

    • SHA512

      2035442326a8e1f9733fef189cd135ce7b2dd22deda62d74e99ffd7eb83413487b91d72dba47f5512e4adcd45998ff5680a4b75342bba4c43d34186eacce1120

    • SSDEEP

      24576:KNFxrUgNQWcPb72kXGWjVcwBlTd8DKT/VSMsCdTzHpgaym9:KNFxogmf2scG1Tzcm9

    • Blocklisted process makes network request

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

MITRE ATT&CK Enterprise v15

Tasks