amadey | 0b59637e728c7f10767882701f2631a03cbe303f1343fd74e3f8d6f539c8ab08 | Triage

Sharing

General

Target

cred.dll
Size

1.0MB
Sample

241118-m5f3javhnn
MD5

b87a6d1c962b04a2fed5693a392c2a0e
SHA1

258ea6bb032cd561f29b4a99469f8eeabfecd1c9
SHA256

0b59637e728c7f10767882701f2631a03cbe303f1343fd74e3f8d6f539c8ab08
SHA512

34380b57533709ccef25ca93cc6eb4d519997ba99f269283f935a86f87e8f2b9083d26c6972aace4145f15a6f0ad72a9154dd8bbe753fe32557303d735f0ea01
SSDEEP

24576:PNFxrUgNQWcXbTmjXGW71cwBlTd0DyzzdiM8ldbzHhoqzh:PNFxog2vmLcGMbzJzh

Score

10^/10

amadey c15c21 credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

c15c21

C2

http://45.93.20.135

Attributes

strings_key
5f9278bece2d0777966f092ec032e601
url_paths
/5nDshOg3cwA/index.php

rc4.plain

Targets

- Target
  
  cred.dll
- Size
  
  1.0MB
- MD5
  
  b87a6d1c962b04a2fed5693a392c2a0e
- SHA1
  
  258ea6bb032cd561f29b4a99469f8eeabfecd1c9
- SHA256
  
  0b59637e728c7f10767882701f2631a03cbe303f1343fd74e3f8d6f539c8ab08
- SHA512
  
  34380b57533709ccef25ca93cc6eb4d519997ba99f269283f935a86f87e8f2b9083d26c6972aace4145f15a6f0ad72a9154dd8bbe753fe32557303d735f0ea01
- SSDEEP
  
  24576:PNFxrUgNQWcXbTmjXGW71cwBlTd0DyzzdiM8ldbzHhoqzh:PNFxog2vmLcGMbzJzh
Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer
- Blocklisted process makes network request
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

behavioral2

credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer