General
-
Target
OneApp.IGCC.WinService.zip
-
Size
3.5MB
-
Sample
240628-vr2fbaxclf
-
MD5
975b7e7c5ce9f455e9842c8ef481ef97
-
SHA1
89c5c444aac01d257f439d1aa37f96fb4c95b01b
-
SHA256
4439c40b5de4942e215ac33995c521bd20c906125ef009c913fcf466c7406f19
-
SHA512
b683d6623614648adef01793edc1a112e16dce9dcdeb8faf8b3bab013b7887ef974e21ed0d63c569c63156ea4a0f4d2ab91b1985110c2e82067ce2c41d5bcfc1
-
SSDEEP
98304:Z4zD9b+yz4BzQQHbaFZs2o08KZ57wuCGFT2y0D3u9P:ZKrzgcat2oIMuGyAe
Malware Config
Extracted
amadey
4.18
84fc95
http://pleasurecanbesafe.com
-
install_dir
40c3273379
-
install_file
Dctooux.exe
-
strings_key
65688f14a915e81474c2405160e45f77
-
url_paths
/7vAficZogD/index.php
Targets
-
-
Target
OneApp.IGCC.WinService.exe
-
Size
5.5MB
-
MD5
0cb7d11ea511391d791b0fbb9637ee79
-
SHA1
96c13496ad8342bdf1cb0ffbe59f673c8395e99b
-
SHA256
502129a00203367b15d57f87b5b51d01fb292928708decb723cd7ad866a7fda3
-
SHA512
8823a02a66d883cb7bffce5f4c93a216dd3280f5f65b340b00b8d6e72112327ef4e64fe6cd3c43dfe3dc7e241d19d4ea98bc9e9e3d49ca2818131920b4093aeb
-
SSDEEP
98304:MXu+i79EbSTjewAV6G67Ngr9wZZGBysnji/MZ/HqLGdOVnhamYMNwHYo8C4Esg6:MXuzCSTqwAV63Ngr9w6Zj5lHkG8hzqHw
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects HijackLoader (aka IDAT Loader)
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-