amadey | 517422af0bb3ad483144aaf489017311678f4af7cec58f5dafe68a0db9bd5952 | Triage

Sharing

General

Target

517422af0bb3ad483144aaf489017311678f4af7cec58f5dafe68a0db9bd5952N.exe
Size

596KB
Sample

250104-rrw9tatjdw
MD5

74ea3fe876df4812df04805cb921edb0
SHA1

43ba407cf7cb376fbc9932eb6b3142a3d606bdeb
SHA256

517422af0bb3ad483144aaf489017311678f4af7cec58f5dafe68a0db9bd5952
SHA512

f3b26517d67c0843b1ef57a7059d11b51bcbefb07ee092946c36722e29cf7d7131473ed6e9ff3a37a1655258e03199b3ceeec3171e67efc29abf3b23c1408b2a
SSDEEP

6144:Zs9C0eaieHm71o2pL2IMJDoMc2ZNu5GQpsnp/yFPMsXnQODVNIg+cTtgJ7AOyZja:Zs9C0eaieHmO292D3//yFPMsXkJ7MmkE

Score

10^/10

amadey 5f729a credential_access discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

amadey

Version

5.10

Botnet

5f729a

C2

http://185.196.8.37

Attributes

install_dir
3660607b8b
install_file
Gxtuum.exe
strings_key
06cc94bf30d17b3ad1e50d5d826b2788
url_paths
/Gd85kkjf/index.php

rc4.plain

Targets

- Target
  
  517422af0bb3ad483144aaf489017311678f4af7cec58f5dafe68a0db9bd5952N.exe
- Size
  
  596KB
- MD5
  
  74ea3fe876df4812df04805cb921edb0
- SHA1
  
  43ba407cf7cb376fbc9932eb6b3142a3d606bdeb
- SHA256
  
  517422af0bb3ad483144aaf489017311678f4af7cec58f5dafe68a0db9bd5952
- SHA512
  
  f3b26517d67c0843b1ef57a7059d11b51bcbefb07ee092946c36722e29cf7d7131473ed6e9ff3a37a1655258e03199b3ceeec3171e67efc29abf3b23c1408b2a
- SSDEEP
  
  6144:Zs9C0eaieHm71o2pL2IMJDoMc2ZNu5GQpsnp/yFPMsXnQODVNIg+cTtgJ7AOyZja:Zs9C0eaieHmO292D3//yFPMsXkJ7MmkE
Score

8^/10

credential_access discovery execution persistence privilege_escalation spyware stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

behavioral2

credential_accessdiscoveryexecutionpersistenceprivilege_escalationspywarestealer