General

  • Target

    ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe

  • Size

    1.3MB

  • Sample

    241212-c85j7asmcn

  • MD5

    db04aa6e158c5d52c20fc855f5285905

  • SHA1

    822416dfa3f094aa6776ed0cad77fb9083db29a3

  • SHA256

    ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f

  • SHA512

    cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff

  • SSDEEP

    24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

1cc3fe

C2

http://vitantgroup.com

Attributes
  • install_dir

    431a343abc

  • install_file

    Dctooux.exe

  • strings_key

    5a2387e2bfef84adb686c856b4155237

  • url_paths

    /xmlrpc.php

rc4.plain

Targets

    • Target

      ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe

    • Size

      1.3MB

    • MD5

      db04aa6e158c5d52c20fc855f5285905

    • SHA1

      822416dfa3f094aa6776ed0cad77fb9083db29a3

    • SHA256

      ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f

    • SHA512

      cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff

    • SSDEEP

      24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks