amadey

Sharing

Copy URL

Twitter E-mail

General

Target

WindscribeVPN-10_11.zip
Size

26.8MB
Sample

241225-lek35a1rcl
MD5

37f4558a18584be87c8bd21d611505d8
SHA1

19df34113c194709d21e5015352327e6521868f7
SHA256

3b1611cdb278a2ba185fb83a7585c1b3a4232e5a4c6c98e88e6e64ff31439934
SHA512

ba07104652d487af35c7f22b303b15da9537cfb9f284b9945111188e86b6d67061dac264ffaa4ee31f540ced3e2a790dc3e56eecb27bc48e4640c0ef165b99de
SSDEEP

786432:Fh5SIMAh2bCN8bRPis96jdP/oPKlapF2BpLpR1:FzM62W81NMjhblk2nL31

Score

10^/10

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

9c0a5d

http://185.208.158.116

http://185.209.162.226

http://zapsnn.com

Attributes

install_dir
cdf9d60151
install_file
Gxtuum.exe
strings_key
5866d84c2de724a41612b3c391bae33f
url_paths
/bVoZEtTa1/index.php

/bVoZEtTa2/index.php

/bVoZEtTa3/index.php

rc4.plain

Targets

- Target
  
  Launcher.dll
- Size
  
  2KB
- MD5
  
  95d4264d0cd2f784c9f33907a5165d4a
- SHA1
  
  4dbcdfd4f4ac3de2fe18a3ed5f984f097d36b157
- SHA256
  
  df572ac42bf0899818f243cd667d6b9efb8ae7c8330512974ce4b609c81b2caa
- SHA512
  
  6fd1b4ef0be954fe549438a58c5b031342de49b89950f9987b9b8b575e640f365ca84b94efcc747fc08ed408c39bc0be8815396bb55e6899588085b24c016187
Score

1^/10
behavioral1 behavioral2
- Target
  
  Launcher.exe
- Size
  
  364KB
- MD5
  
  93fde4e38a84c83af842f73b176ab8dc
- SHA1
  
  e8c55cc160a0a94e404f544b22e38511b9d71da8
- SHA256
  
  fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
- SHA512
  
  48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
- SSDEEP
  
  6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score

10^/10

amadey 9c0a5d discovery execution persistence spyware stealer trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Amadey family
  amadey
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Adds Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4
- Target
  
  Launcher.exe.manifest
- Size
  
  1KB
- MD5
  
  1b6de83d3f1ccabf195a98a2972c366a
- SHA1
  
  09f03658306c4078b75fa648d763df9cddd62f23
- SHA256
  
  e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724
- SHA512
  
  e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  data/appInfo/services/Launhcer.dll
- Size
  
  2KB
- MD5
  
  ab117f05d16af429ceeb2410593d54df
- SHA1
  
  a962e8bc68293d8759be561eec09de5170148766
- SHA256
  
  4daf580ce0f912b8a4f5e56e4721880792a8a4dca68495b5f2aafaf5e6ebad6d
- SHA512
  
  07ac23a0906f544bd298e1931e4c6237082b8c46be987e62b69c3dc2899fbec2a9fb5eefd1a81eee665f65e42d3fe4c4400501edd66518e79d488e4b52d31ee3
Score

1^/10
behavioral7 behavioral8
- Target
  
  data/appInfo/services/Launhcer.exe
- Size
  
  364KB
- MD5
  
  e5c00b0bc45281666afd14eef04252b2
- SHA1
  
  3b6eecf8250e88169976a5f866d15c60ee66b758
- SHA256
  
  542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903
- SHA512
  
  2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387
- SSDEEP
  
  6144:+pS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYql6wrEJWPYg:+p8KLBzQ7Lcf3SiQs2FTTql9unNrkv75
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral10 behavioral9
- Target
  
  data/appInfo/services/WinRAR.exe
- Size
  
  2.1MB
- MD5
  
  f59f4f7bea12dd7c8d44f0a717c21c8e
- SHA1
  
  17629ccb3bd555b72a4432876145707613100b3e
- SHA256
  
  f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4
- SHA512
  
  44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c
- SSDEEP
  
  49152:2oJAPtSHWxwJWzkDVkwg5NYUzNjteyUHBdH3y005:2ZAHWSxkfNNte9BpCN
Score

4^/10

discovery persistence
behavioral11 behavioral12
- Target
  
  data/appInfo/services/data/Launcher.dll
- Size
  
  4KB
- MD5
  
  782da0b6fb776ba2bba525f767b6e078
- SHA1
  
  548bb11b03a16d6f27daa99f7ff5ef45862f98fb
- SHA256
  
  0742c6aab43f9be96d9e03fbee99d5f3bf6cdfddccde3726b61db3f0893d6d8a
- SHA512
  
  466d26a2203035040b3e8f3e7b9406e4392537d5ee323c44f1f74339dbb39258216ee736002186c361358ceeb0503ed0461e41c15eb5b251d38bb24768958237
- SSDEEP
  
  96:Z0bb/J5MJsliY7me70p09MDon8VKAq6+AE9U+M:ZC/3MJm6e70eMDTBDE95M
Score

1^/10
behavioral13 behavioral14
- Target
  
  data/appInfo/services/data/Launcher.exe
- Size
  
  364KB
- MD5
  
  93fde4e38a84c83af842f73b176ab8dc
- SHA1
  
  e8c55cc160a0a94e404f544b22e38511b9d71da8
- SHA256
  
  fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
- SHA512
  
  48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
- SSDEEP
  
  6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2
Score

8^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16