General
-
Target
a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
-
Size
799KB
-
Sample
241208-c3erksxqey
-
MD5
89bd66e4285cb7295300a941964af529
-
SHA1
232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
-
SHA256
a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
-
SHA512
72d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
-
SSDEEP
12288:TuhUdOIOQCEXR8DTX0mjy/tP1qtH/OefKE4Ov6O5ebo12AVwyPpW1amgufD/:TuhUSk8DTXtGtP4H5fLzp507uA1wufD
Malware Config
Extracted
amadey
5.04
397a17
http://89.110.69.103
http://94.156.177.33
-
install_dir
0efeaab28d
-
install_file
Gxtuum.exe
-
strings_key
6dea7a0890c1d404d1b67c90aea6ece4
-
url_paths
/Lv2D7fGdopb/index.php
/b9kdj3s3C0/index.php
Targets
-
-
Target
a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
-
Size
799KB
-
MD5
89bd66e4285cb7295300a941964af529
-
SHA1
232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
-
SHA256
a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
-
SHA512
72d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
-
SSDEEP
12288:TuhUdOIOQCEXR8DTX0mjy/tP1qtH/OefKE4Ov6O5ebo12AVwyPpW1amgufD/:TuhUSk8DTXtGtP4H5fLzp507uA1wufD
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1