Rewterz Threat Alert – Amadey Botnet – Active IOCs

Severity

High

Analysis Summary

Amadey infects a victim’s computer and incorporates it into a. botnet. The Amadey trojan can also download additional malware. and exfiltrate user information to a command and control (C2) server. Moreover, it can engage the victim’s system. The threat actor sent spam emails that reference a package or shipment. Many of the emails claim in the subject line that the package or shipment is from the shipping company DHL. For example, one subject line is “You have a package coming from DHL.” The bodies of all of the emails we observed in this campaign are blank. Each email has a ZIP attachment containing a Visual Basic Script (VBS) file. Each file name for the ZIP files is a series of numbers separated by an underscore, such as 044450_64504154.zip. The VBS files have the same name as their ZIP file, except they have the VBS extension rather than the ZIP extension.

Impact

• Information Theft
• Exposure of Sensitive Data

Indicators of Compromise

MD5

f98a1aa99f81b5f5de9afac96867c0a7
250d52d34460604ca00617ca7ad2b8d0
6e7156634787ea0ef0f5b22fe2beaff3
8360f13abf75a3a2256cb604c197b369

SHA-256

• 0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64
• ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846
• 2630352d83d4f1045cc4db7ac7b978ee04590df043b5bad6da563106ee64ffbf
• 09de413a7dc85caf48022f7a89247ead15a3db0f0f41dcf627e5d28e88e30f1d

SHA-1

• 0140281245024b95c63ffc1170f8a55150815f52
• 5bf2a755a1afd0275a6b6907545d8b4a80cc0a65
• a9a951dfd0676222e7bf725de682d774b24e3bc9
• 5daf958f884b460245b84f17c9318315ca0f1858

Remediation

• Upgrade your operating system.
• Don’t open files and links from unknown sources.
• Install and run anti-virus scans.