amadey | cfe398d48a56b469247d18362e6eaa0f3b2d3882cb3773eea60b5a56b8dde3bc | Triage

Sharing

General

Target

182024beffcb7c5fbce36af989bf052dea4ed45fa0cc07156f3e39a24fc5178e.bin.sample.gz
Size

232KB
Sample

231004-n2pqyabf31
MD5

0784a452c86ba2e488fb45669ec925da
SHA1

fc1c560290e8885c8e465723fe7ea0a06edbe03d
SHA256

cfe398d48a56b469247d18362e6eaa0f3b2d3882cb3773eea60b5a56b8dde3bc
SHA512

ffdb294f3bd3aa0ee7ce1e870f8658bfb450833ef8e637b38ae43888c2c9bdc02ae0e4c143ce26ea12400b3d38a5a13f41f14e8580395b5d69bd0f637a69aa01
SSDEEP

6144:YDLNJ/mH0E+4WN90xD8WY97s7vzgnip8MaNinqaTT3K:Y/NR/E+4e90x8xFs7zXy/gjO

Score

10^/10

amadey healer dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

http://193.233.255.9/nasa/index.php

Attributes

install_dir
ebb444342c
install_file
legosa.exe
strings_key
0b59a358b8646634fe523e0d5fe7fc43

rc4.plain

Targets

- Target
  
  sample
- Size
  
  277KB
- MD5
  
  5cc2d9573c5a19241afd9c7ea6342946
- SHA1
  
  133e060e0133aaddc269718278d3559b65f0877e
- SHA256
  
  182024beffcb7c5fbce36af989bf052dea4ed45fa0cc07156f3e39a24fc5178e
- SHA512
  
  3bdeff5bd3d8c12622376a079f9d86f5a22d2facfbe9f4cc599f6e881f777160b0264ede73fa03d9dcfa3df7c0b0ea3a5106f72e68765910126676500ab3f2e2
- SSDEEP
  
  6144:KCy+bnr+3p0yN90QEyvs7dzw5ip800PK6XpqaTUgCZVP:aMrXy90osxzzySgTiP
Score

10^/10

amadey healer dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealerdropperevasionpersistencetrojan

behavioral2

amadeyhealerdropperevasionpersistencetrojan