amadey

General

Target

d2105345952320d956616ccf74f73024420f7619f745c5c1e06a272bcd7199dc.exe
Size

2.4MB
Sample

240628-b9a7asxdrj
MD5

278754c8f6050d4bbf4d9a243f048429
SHA1

7f5fea45aece28601ef66caa6d2174cd1657d60e
SHA256

d2105345952320d956616ccf74f73024420f7619f745c5c1e06a272bcd7199dc
SHA512

2c8d0f35449a0cd9af2658a8880a71381a117ffe1f5b654e73a5726e638e753304cd894641d5b6d0f31ba2505e71b906498d484cc6d7aaa7c1286dccfb150fdb
SSDEEP

49152:hVaSO67RllElwjXU925M3LrYr5V/iGfxuopt0w8olALw1U+3O:DK6llpMgM3LUrHf56Rol4CU

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Targets

- Target
  
  d2105345952320d956616ccf74f73024420f7619f745c5c1e06a272bcd7199dc.exe
- Size
  
  2.4MB
- MD5
  
  278754c8f6050d4bbf4d9a243f048429
- SHA1
  
  7f5fea45aece28601ef66caa6d2174cd1657d60e
- SHA256
  
  d2105345952320d956616ccf74f73024420f7619f745c5c1e06a272bcd7199dc
- SHA512
  
  2c8d0f35449a0cd9af2658a8880a71381a117ffe1f5b654e73a5726e638e753304cd894641d5b6d0f31ba2505e71b906498d484cc6d7aaa7c1286dccfb150fdb
- SSDEEP
  
  49152:hVaSO67RllElwjXU925M3LrYr5V/iGfxuopt0w8olALw1U+3O:DK6llpMgM3LUrHf56Rol4CU
Score

10^/10

amadey stealc 4dd39d default discovery evasion spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2