General

  • Target

    cred64.dll.exe

  • Size

    1.2MB

  • Sample

    241223-gflzlawqas

  • MD5

    d862c12a4467ebae581a8c0cc3ea2211

  • SHA1

    9e797375b9b4422b2314d3e372628643ccf1c5db

  • SHA256

    47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d

  • SHA512

    cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c

  • SSDEEP

    24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre

Malware Config

Extracted

Family

amadey

Version

5.12

Botnet

d5db2d

C2

http://212.193.31.8

Attributes
  • strings_key

    0e18a2a9dd22cd0f87c9fba7075c3b39

  • url_paths

    /3ofn3jf3e2ljk2/index.php

rc4.plain

Targets

    • Target

      cred64.dll.exe

    • Size

      1.2MB

    • MD5

      d862c12a4467ebae581a8c0cc3ea2211

    • SHA1

      9e797375b9b4422b2314d3e372628643ccf1c5db

    • SHA256

      47f8a270b27c18bab9013f4a8f0ee6e877e4050bd4018d682eb502bcfd5bff6d

    • SHA512

      cf6545df4a244bb7dc699a565759f97c759ba19bcc9ad9ad91a20cd07aee19cbe10eb82dd21416b717581b34dc4f24ba6d43a00e7d8018b8be133dbbc9e8113c

    • SSDEEP

      24576:MO/VvL5QafhQsnoXyaoMferXQ5rnxQBuLv8Y4JKMfUO9l:Z5nfhQzOMoA5rnxHv8PKre

    • Blocklisted process makes network request

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

MITRE ATT&CK Enterprise v15

Tasks