amadey | dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c | Triage

Sharing

General

Target

dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c.exe
Size

437KB
Sample

241212-dby7ksxrcw
MD5

d317ee086ebeccf5e01e002ca6b0ead9
SHA1

48e8c5846d9c67649b3c2fb8d76aa951828dd84e
SHA256

dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c
SHA512

5fc335758f587e9f9f35309b101c16a4e2faa840013f8024f45eb33b9aa402a2877cbc07f76f389d25e2cf20607486997218de52c46364e2c89a5fa28a785032
SSDEEP

12288:fHxmm31uLFn23TURCwbH8SnBkKuJ+RctSaWrQz:/BuLFn2DUELSS7s

Score

10^/10

amadey 1cc3fe discovery

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

1cc3fe

C2

http://vitantgroup.com

Attributes

install_dir
431a343abc
install_file
Dctooux.exe
strings_key
5a2387e2bfef84adb686c856b4155237
url_paths
/xmlrpc.php

rc4.plain

Targets

- Target
  
  dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c.exe
- Size
  
  437KB
- MD5
  
  d317ee086ebeccf5e01e002ca6b0ead9
- SHA1
  
  48e8c5846d9c67649b3c2fb8d76aa951828dd84e
- SHA256
  
  dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c
- SHA512
  
  5fc335758f587e9f9f35309b101c16a4e2faa840013f8024f45eb33b9aa402a2877cbc07f76f389d25e2cf20607486997218de52c46364e2c89a5fa28a785032
- SSDEEP
  
  12288:fHxmm31uLFn23TURCwbH8SnBkKuJ+RctSaWrQz:/BuLFn2DUELSS7s
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2