amadey

General

Target

d23cadd6e905563f0dad2ad88ce087f7418641f43106f0816f68f66ab6f1f7e4.exe
Size

2.4MB
Sample

240628-b9m6vsxejn
MD5

b034eecf4642c53db4eeb735c813bc27
SHA1

d6fef1943e0ccafbad7586dc4ecb1edf6c0707b3
SHA256

d23cadd6e905563f0dad2ad88ce087f7418641f43106f0816f68f66ab6f1f7e4
SHA512

68134bb53e2f1d09de06e53d397ccefbd4eef54fcee439ccfb6935fa91e595d52d4c3e325d5d2d54c0bbdf0e2a8a6264994800572bc8b468cf7e5a5d86e95c47
SSDEEP

49152:NqDOGdvl2S1drV7cMaIa/xx3VKfiZcvuk0OhR95Kj1AjHlWzOLNYPmPI:N21J1ZhusAcF3K5rzOKPmw

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Targets

- Target
  
  d23cadd6e905563f0dad2ad88ce087f7418641f43106f0816f68f66ab6f1f7e4.exe
- Size
  
  2.4MB
- MD5
  
  b034eecf4642c53db4eeb735c813bc27
- SHA1
  
  d6fef1943e0ccafbad7586dc4ecb1edf6c0707b3
- SHA256
  
  d23cadd6e905563f0dad2ad88ce087f7418641f43106f0816f68f66ab6f1f7e4
- SHA512
  
  68134bb53e2f1d09de06e53d397ccefbd4eef54fcee439ccfb6935fa91e595d52d4c3e325d5d2d54c0bbdf0e2a8a6264994800572bc8b468cf7e5a5d86e95c47
- SSDEEP
  
  49152:NqDOGdvl2S1drV7cMaIa/xx3VKfiZcvuk0OhR95Kj1AjHlWzOLNYPmPI:N21J1ZhusAcF3K5rzOKPmw
Score

10^/10

amadey stealc 4dd39d default discovery evasion spyware stealer trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Detect binaries embedding considerable number of MFA browser extension IDs.
- Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2