amadey | e15e8859faa39ca6b7cfcd12e85e199137beea9b181b054440b79945d5ffec37 | Triage

Sharing

General

Target

e15e8859faa39ca6b7cfcd12e85e199137beea9b181b054440b79945d5ffec37
Size

701KB
Sample

230830-qpxbcseg2x
MD5

4b7df45cdffc5dd3b357b82cc7d2989e
SHA1

a32564988cbf0fd1cd89c6d885d7c8f8d6ded667
SHA256

e15e8859faa39ca6b7cfcd12e85e199137beea9b181b054440b79945d5ffec37
SHA512

04e11c4962d218cb1a12370b679fc8cf52858267c8d34c313dacbaf058343a26dded1938b45d9062f51d45faac6c6442b897865601c23687e0711d7551e9f178
SSDEEP

12288:XMrTy90KvMcUvX5zJoucOxq5HNbjLdCAVli3JKMZyAic/zVc:4yBUvJdo5eq9BjE0ldME2c

Score

10^/10

amadey healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

sruta

C2

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Targets

- Target
  
  e15e8859faa39ca6b7cfcd12e85e199137beea9b181b054440b79945d5ffec37
- Size
  
  701KB
- MD5
  
  4b7df45cdffc5dd3b357b82cc7d2989e
- SHA1
  
  a32564988cbf0fd1cd89c6d885d7c8f8d6ded667
- SHA256
  
  e15e8859faa39ca6b7cfcd12e85e199137beea9b181b054440b79945d5ffec37
- SHA512
  
  04e11c4962d218cb1a12370b679fc8cf52858267c8d34c313dacbaf058343a26dded1938b45d9062f51d45faac6c6442b897865601c23687e0711d7551e9f178
- SSDEEP
  
  12288:XMrTy90KvMcUvX5zJoucOxq5HNbjLdCAVli3JKMZyAic/zVc:4yBUvJdo5eq9BjE0ldME2c
Score

10^/10

amadey healer redline sruta dropper evasion infostealer persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealerredlinesrutadropperevasioninfostealerpersistencetrojan