amadey | 270f8ea1d4b8d58a411ba5724b64f104ad334015811b27f0ce149a8018b0c522 | Triage

Sharing

General

Target

270f8ea1d4b8d58a411ba5724b64f104ad334015811b27f0ce149a8018b0c522.exe
Size

1.1MB
Sample

241217-ctcwmaylbp
MD5

1bb5abf7ea180a98cfada20d0ab2ef8a
SHA1

1b56deda01cccd0b87e101c862a7837072d3c341
SHA256

270f8ea1d4b8d58a411ba5724b64f104ad334015811b27f0ce149a8018b0c522
SHA512

4a51aecf67a8d33878dc453a3dbeb86a2e4fb8526a5210b96cdca1941f3618525eea7137a3dcf526e7c7c80ef517884a08b88f94ada8f686aafd1bdd8b572f4a
SSDEEP

24576:uYHZ4lEg7JeKj/2kmII3C88IQtuo/P5dON9Ensqq8gEn2T:uYUMQ+PIGC88IQtuY0ysqq8g

Score

10^/10

amadey b44aeb discovery persistence trojan

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

b44aeb

Attributes

install_dir
7725ce688f
install_file
Gxtuum.exe
strings_key
8bf9b3f72bb53c678e0173edf42df1ae
url_paths
/3ofn3jf3e2ljk/index.php

rc4.plain

Targets

- Target
  
  270f8ea1d4b8d58a411ba5724b64f104ad334015811b27f0ce149a8018b0c522.exe
- Size
  
  1.1MB
- MD5
  
  1bb5abf7ea180a98cfada20d0ab2ef8a
- SHA1
  
  1b56deda01cccd0b87e101c862a7837072d3c341
- SHA256
  
  270f8ea1d4b8d58a411ba5724b64f104ad334015811b27f0ce149a8018b0c522
- SHA512
  
  4a51aecf67a8d33878dc453a3dbeb86a2e4fb8526a5210b96cdca1941f3618525eea7137a3dcf526e7c7c80ef517884a08b88f94ada8f686aafd1bdd8b572f4a
- SSDEEP
  
  24576:uYHZ4lEg7JeKj/2kmII3C88IQtuo/P5dON9Ensqq8gEn2T:uYUMQ+PIGC88IQtuY0ysqq8g
Score

10^/10

discovery persistence amadey b44aeb trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

amadeyb44aebdiscoverypersistencetrojan