amadey | 82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c | Triage

Sharing

General

Target

am209.exe
Size

429KB
Sample

241218-mn6xmawqej
MD5

ce27255f0ef33ce6304e54d171e6547c
SHA1

e594c6743d869c852bf7a09e7fe8103b25949b6e
SHA256

82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c
SHA512

96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9
SSDEEP

6144:as9C0eaieHm71o2pL2IMJDoMc2ZNu5GQpsnp/yFPMsXnQODVNIg+cTtgJ7AO+Zj5:as9C0eaieHmO292D3//yFPMsXkJ7gmk

Score

10^/10

amadey 4bee07 discovery

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

4bee07

C2

http://185.215.113.209

Attributes

install_dir
fc9e0aaab7
install_file
defnur.exe
strings_key
191655f008adc880f91bfc85bc56db54
url_paths
/Fru7Nk9/index.php

rc4.plain

Targets

- Target
  
  am209.exe
- Size
  
  429KB
- MD5
  
  ce27255f0ef33ce6304e54d171e6547c
- SHA1
  
  e594c6743d869c852bf7a09e7fe8103b25949b6e
- SHA256
  
  82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c
- SHA512
  
  96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9
- SSDEEP
  
  6144:as9C0eaieHm71o2pL2IMJDoMc2ZNu5GQpsnp/yFPMsXnQODVNIg+cTtgJ7AO+Zj5:as9C0eaieHmO292D3//yFPMsXkJ7gmk
Score

8^/10

discovery
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2