amadey

General

Target

51ff79b406cb223dd49dd4c947ec97b0.exe
Size

429KB
Sample

241221-lnrl9sxpbm
MD5

51ff79b406cb223dd49dd4c947ec97b0
SHA1

b9b0253480a1b6cbdd673383320fecae5efb3dce
SHA256

2e3a5dfa44d59681a60d78b8b08a1af3878d8e270c02d7e31a0876a85eb42a7e
SHA512

c2b8d15b0dc1b0846f39ce007be2deb41d5b6ae76af90d618f29da8691ed987c42f3c270f0ea7f4d10cbd2d3877118f4133803c9c965b6ff236ff8cfafd9367c
SSDEEP

12288:v4RG6lx/9Njr18QlSfJy4FjMSkJCzDLGDWD:O9NtSTZMzmmD4

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

5.12

Botnet

d5db2d

C2

http://212.193.31.8

Attributes

install_dir
e458d263c0
install_file
Gxtuum.exe
strings_key
0e18a2a9dd22cd0f87c9fba7075c3b39
url_paths
/3ofn3jf3e2ljk2/index.php

rc4.plain

Targets

- Target
  
  51ff79b406cb223dd49dd4c947ec97b0.exe
- Size
  
  429KB
- MD5
  
  51ff79b406cb223dd49dd4c947ec97b0
- SHA1
  
  b9b0253480a1b6cbdd673383320fecae5efb3dce
- SHA256
  
  2e3a5dfa44d59681a60d78b8b08a1af3878d8e270c02d7e31a0876a85eb42a7e
- SHA512
  
  c2b8d15b0dc1b0846f39ce007be2deb41d5b6ae76af90d618f29da8691ed987c42f3c270f0ea7f4d10cbd2d3877118f4133803c9c965b6ff236ff8cfafd9367c
- SSDEEP
  
  12288:v4RG6lx/9Njr18QlSfJy4FjMSkJCzDLGDWD:O9NtSTZMzmmD4
Score

10^/10

amadey credential_access discovery execution persistence privilege_escalation spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral1 behavioral2