amadey | 0118cf76a452338737c7fc4c4d1e63a781671ad4084e4d64da1291763654b571 | Triage

Sharing

General

Target

0118cf76a452338737c7fc4c4d1e63a781671ad4084e4d64da1291763654b571
Size

715KB
Sample

230822-nscp1sbh88
MD5

b2de32d9e9f2fa7cab361479c055cbd0
SHA1

d856c66d5ca730daa06d91bcd0153517864a1f76
SHA256

0118cf76a452338737c7fc4c4d1e63a781671ad4084e4d64da1291763654b571
SHA512

e55484008d986465819911889392cffdf446ffbcd60348ee4f0edfd797edf9788bc1334873a5db6feea1772d5e9ed859e6e7e65d272e3dc815c613565b038839
SSDEEP

12288:yMrny90cm8rA3xZZjOWYQ9ZbAWjDucfAC4f2ZHwpqxd7u/r2B3BG5c:NyVtAZKahAIAC4f2ZHQi7uz2hBmc

Score

10^/10

amadey healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

S-%lu-

C2

77.91.68.18/nice/index.php

3.87/nice/index.php

Extracted

Family

redline

Botnet

piter

C2

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Targets

- Target
  
  0118cf76a452338737c7fc4c4d1e63a781671ad4084e4d64da1291763654b571
- Size
  
  715KB
- MD5
  
  b2de32d9e9f2fa7cab361479c055cbd0
- SHA1
  
  d856c66d5ca730daa06d91bcd0153517864a1f76
- SHA256
  
  0118cf76a452338737c7fc4c4d1e63a781671ad4084e4d64da1291763654b571
- SHA512
  
  e55484008d986465819911889392cffdf446ffbcd60348ee4f0edfd797edf9788bc1334873a5db6feea1772d5e9ed859e6e7e65d272e3dc815c613565b038839
- SSDEEP
  
  12288:yMrny90cm8rA3xZZjOWYQ9ZbAWjDucfAC4f2ZHwpqxd7u/r2B3BG5c:NyVtAZKahAIAC4f2ZHQi7uz2hBmc
Score

10^/10

amadey healer redline piter dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealerredlinepiterdropperevasioninfostealerpersistencetrojan