amadey | 03836c58849b0a81afa8ca68f6432653bf527b8899d8598cc53c8f640e11f0ad | Triage

Sharing

General

Target

03836c58849b0a81afa8ca68f6432653bf527b8899d8598cc53c8f640e11f0ad
Size

390KB
Sample

230722-gcm3gshg53
MD5

4f0575134b678741d1be57d0bae9b834
SHA1

df39a2712d23f6218b6997b476b061a9765adce0
SHA256

03836c58849b0a81afa8ca68f6432653bf527b8899d8598cc53c8f640e11f0ad
SHA512

71937f9945bbf56d1430dbb2a9bea8361d591164def8795f5cdff130284d4bc1f8143983fc7c500a64435ea60aab0540f035210d669061cc3d41f0f4eade73e5
SSDEEP

6144:Kjy+bnr+Sp0yN90QEUnIRMThXn7DmOEXXDnj7wp4PHRa5hfCcHnlRHg5k+qTVnwP:JMrmy90N+tXn7DREH7wpUUQcHnl92b5

Score

10^/10

amadey healer redline grom dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes

auth_value
9ec3129bff410b89097d656d7abc33dc

Targets

- Target
  
  03836c58849b0a81afa8ca68f6432653bf527b8899d8598cc53c8f640e11f0ad
- Size
  
  390KB
- MD5
  
  4f0575134b678741d1be57d0bae9b834
- SHA1
  
  df39a2712d23f6218b6997b476b061a9765adce0
- SHA256
  
  03836c58849b0a81afa8ca68f6432653bf527b8899d8598cc53c8f640e11f0ad
- SHA512
  
  71937f9945bbf56d1430dbb2a9bea8361d591164def8795f5cdff130284d4bc1f8143983fc7c500a64435ea60aab0540f035210d669061cc3d41f0f4eade73e5
- SSDEEP
  
  6144:Kjy+bnr+Sp0yN90QEUnIRMThXn7DmOEXXDnj7wp4PHRa5hfCcHnlRHg5k+qTVnwP:JMrmy90N+tXn7DREH7wpUUQcHnl92b5
Score

10^/10

amadey healer redline grom dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealerredlinegromdropperevasioninfostealerpersistencetrojan