amadey | 11b89de9c094c734e1e099292a2567d503510b102b4861b38608662c54372a99 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

11b89de9c094c734e1e099292a2567d503510b102b4861b38608662c54372a99_JC.exe
Size

359KB
Sample

230805-lxheyscg2s
MD5

332fe1546f87c32222aee61c5a21af58
SHA1

0385fe1becb67f54e4240a5f9d160fc9e4e45ba4
SHA256

11b89de9c094c734e1e099292a2567d503510b102b4861b38608662c54372a99
SHA512

a4ee3dc38ceb4c5bae254104d20174f3188ced9ef9d58e9d32df04a798f15501262048b35729a6d07d4c7b084da1641ba754a4e82d244605d450d24170255b3e
SSDEEP

6144:Kcy+bnr+op0yN90QEs3mVnr5PR8ztdgR5DEqmkGo0yqDKCaHX0ys2PYs:8Mr0y90KWVdZe+UqhGaqeHExcN

Score

10^/10

amadey healer smokeloader backdoor dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

77.91.68.61/rock/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  11b89de9c094c734e1e099292a2567d503510b102b4861b38608662c54372a99_JC.exe
- Size
  
  359KB
- MD5
  
  332fe1546f87c32222aee61c5a21af58
- SHA1
  
  0385fe1becb67f54e4240a5f9d160fc9e4e45ba4
- SHA256
  
  11b89de9c094c734e1e099292a2567d503510b102b4861b38608662c54372a99
- SHA512
  
  a4ee3dc38ceb4c5bae254104d20174f3188ced9ef9d58e9d32df04a798f15501262048b35729a6d07d4c7b084da1641ba754a4e82d244605d450d24170255b3e
- SSDEEP
  
  6144:Kcy+bnr+op0yN90QEs3mVnr5PR8ztdgR5DEqmkGo0yqDKCaHX0ys2PYs:8Mr0y90KWVdZe+UqhGaqeHExcN
Score

10^/10

amadey healer smokeloader backdoor dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

behavioral2

amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan