amadey | 80f00ecb0ac14402b87456fd2b1be3fee8bfea3d23bd9cc3c5486f913cd5c326 | Triage

Sharing

General

Target

80f00ecb0ac14402b87456fd2b1be3fee8bfea3d23bd9cc3c5486f913cd5c326
Size

390KB
Sample

230722-m91yhabb8z
MD5

c38aadc7ca70a7538e085c72737ae237
SHA1

fe1411cad2774d87b74d1a3c2976f8fa390383ad
SHA256

80f00ecb0ac14402b87456fd2b1be3fee8bfea3d23bd9cc3c5486f913cd5c326
SHA512

f837dcb43d6d56174d22048471adbda9873a01faf7a47e6f2a62cfe056b0078cf84c1bd454b3ee243ab509a6cbb445e6957e44a677a0752ac23fe3f55a6db5ae
SSDEEP

6144:Kxy+bnr+Up0yN90QEtmjgV2ZSXa8Pb46LahUN6cFsD8RRuQTWlN9+gk++:TMrYy90TRVnq8syHfRRq6XJ

Score

10^/10

amadey healer redline grom dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes

auth_value
9ec3129bff410b89097d656d7abc33dc

Targets

- Target
  
  80f00ecb0ac14402b87456fd2b1be3fee8bfea3d23bd9cc3c5486f913cd5c326
- Size
  
  390KB
- MD5
  
  c38aadc7ca70a7538e085c72737ae237
- SHA1
  
  fe1411cad2774d87b74d1a3c2976f8fa390383ad
- SHA256
  
  80f00ecb0ac14402b87456fd2b1be3fee8bfea3d23bd9cc3c5486f913cd5c326
- SHA512
  
  f837dcb43d6d56174d22048471adbda9873a01faf7a47e6f2a62cfe056b0078cf84c1bd454b3ee243ab509a6cbb445e6957e44a677a0752ac23fe3f55a6db5ae
- SSDEEP
  
  6144:Kxy+bnr+Up0yN90QEtmjgV2ZSXa8Pb46LahUN6cFsD8RRuQTWlN9+gk++:TMrYy90TRVnq8syHfRRq6XJ
Score

10^/10

amadey healer redline grom dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealerredlinegromdropperevasioninfostealerpersistencetrojan