Amadey C2 Panel afb0c86a

Detects the Amadey botnet C2 panel page.

Uses the fact that the assets are delimited using a backslash instead of the normal forward slash.

References

https://tracker.viriback.com
https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
https://urlscan.io/result/afb0c86a-7aba-492c-936c-87f59d872271

IOK Rule (edit)

title: Amadey C2 Panel afb0c86a
description: | 
  Detects the `Amadey` botnet C2 panel page. 

  Uses the fact that the assets are delimited 
  using a backslash instead of the normal forward
  slash.

references: 
  - https://tracker.viriback.com
  - https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
  - https://urlscan.io/result/afb0c86a-7aba-492c-936c-87f59d872271

detection: 

  assetPaths: 
    html|contains|all:  
      - 'Css\Style.css'
      - 'Images\bg_1.png'

  pageTitle: 
    html|contains: 'Authorization' 

  condition: assetPaths and pageTitle


tags: 
  - malware.amadey
  - malware