General

  • Target

    7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991

  • Size

    609KB

  • Sample

    240430-3z5fyaba6s

  • MD5

    1e6a63ca1ee2c63625362f59ece464e4

  • SHA1

    f1b956db4610e18114484326d13e7d3445c1db4d

  • SHA256

    7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991

  • SHA512

    24ca8f1a6af38f6a354c32ada274a5f8ff73831f76bf9ac4c44e8b8190bb685554d13ab1101232b8e0580093b6a7f22e8d1de486176cd4ae929b22c0047b778e

  • SSDEEP

    12288:vy90vqVyT0LPPw5q8Rb1iN7cqyl+oYbl6scY1:vyAsyT2PUq8rihByl+Y2

Malware Config

Extracted

Family

amadey

Version

3.80

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Targets

    • Target

      7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991

    • Size

      609KB

    • MD5

      1e6a63ca1ee2c63625362f59ece464e4

    • SHA1

      f1b956db4610e18114484326d13e7d3445c1db4d

    • SHA256

      7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991

    • SHA512

      24ca8f1a6af38f6a354c32ada274a5f8ff73831f76bf9ac4c44e8b8190bb685554d13ab1101232b8e0580093b6a7f22e8d1de486176cd4ae929b22c0047b778e

    • SSDEEP

      12288:vy90vqVyT0LPPw5q8Rb1iN7cqyl+oYbl6scY1:vyAsyT2PUq8rihByl+Y2

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Modifies Windows Defender Real-time Protection settings

    • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks