General

  • Target

    63ee440ff377880451eb881bdecd590651eb6080fcda03a774d0083dac13f1d2.exe

  • Size

    962KB

  • Sample

    241122-j4wvtatjfj

  • MD5

    c7558268cb4abe478aabd5a76407ddc1

  • SHA1

    ee5d800c1ba60a61d257f36d1dfe3d477b10ac10

  • SHA256

    63ee440ff377880451eb881bdecd590651eb6080fcda03a774d0083dac13f1d2

  • SHA512

    6daf0d2bf9394ad15db7c9c784f406919ae084b25b95d92626f244ed1f6591e4a40bad2b443c07d68f0acf729c556d11a65e9133db07d467a29484e7c666e998

  • SSDEEP

    12288:xT0iaBzz9UupPFcoHnqFdlF1PNke0ydluUEBCXadA0KytXL0TqeLxLIQy98Xi2/4:xTCBzBUUdL8Nr7rSGr3s

Malware Config

Extracted

Family

amadey

Version

3.81

Botnet

f9a925

C2

http://77.91.124.20

Attributes
  • install_dir

    c3912af058

  • install_file

    oneetx.exe

  • strings_key

    0504ce46646b0dc397a3c30d6692ec75

  • url_paths

    /store/games/index.php

rc4.plain

Targets

    • Target

      63ee440ff377880451eb881bdecd590651eb6080fcda03a774d0083dac13f1d2.exe

    • Size

      962KB

    • MD5

      c7558268cb4abe478aabd5a76407ddc1

    • SHA1

      ee5d800c1ba60a61d257f36d1dfe3d477b10ac10

    • SHA256

      63ee440ff377880451eb881bdecd590651eb6080fcda03a774d0083dac13f1d2

    • SHA512

      6daf0d2bf9394ad15db7c9c784f406919ae084b25b95d92626f244ed1f6591e4a40bad2b443c07d68f0acf729c556d11a65e9133db07d467a29484e7c666e998

    • SSDEEP

      12288:xT0iaBzz9UupPFcoHnqFdlF1PNke0ydluUEBCXadA0KytXL0TqeLxLIQy98Xi2/4:xTCBzBUUdL8Nr7rSGr3s

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks