General
-
Target
7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991
-
Size
609KB
-
Sample
240430-3z5fyaba6s
-
MD5
1e6a63ca1ee2c63625362f59ece464e4
-
SHA1
f1b956db4610e18114484326d13e7d3445c1db4d
-
SHA256
7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991
-
SHA512
24ca8f1a6af38f6a354c32ada274a5f8ff73831f76bf9ac4c44e8b8190bb685554d13ab1101232b8e0580093b6a7f22e8d1de486176cd4ae929b22c0047b778e
-
SSDEEP
12288:vy90vqVyT0LPPw5q8Rb1iN7cqyl+oYbl6scY1:vyAsyT2PUq8rihByl+Y2
Malware Config
Extracted
amadey
3.80
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Targets
-
-
Target
7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991
-
Size
609KB
-
MD5
1e6a63ca1ee2c63625362f59ece464e4
-
SHA1
f1b956db4610e18114484326d13e7d3445c1db4d
-
SHA256
7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991
-
SHA512
24ca8f1a6af38f6a354c32ada274a5f8ff73831f76bf9ac4c44e8b8190bb685554d13ab1101232b8e0580093b6a7f22e8d1de486176cd4ae929b22c0047b778e
-
SSDEEP
12288:vy90vqVyT0LPPw5q8Rb1iN7cqyl+oYbl6scY1:vyAsyT2PUq8rihByl+Y2
Score10/10-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1