amadey | 1ce34eb3e4f496807e4fc1b26909664c47bf47918645aee30725f2e02409d519 | Triage

Sharing

General

Target

33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics
Size

1.7MB
Sample

240510-31hnkahc81
MD5

33afe0d9831bf1b5c5f68486a6b78b70
SHA1

b8072fe876bbb198eaa3585b23f893d01aa333b8
SHA256

1ce34eb3e4f496807e4fc1b26909664c47bf47918645aee30725f2e02409d519
SHA512

c8b5c03666bb47649a006aa9aa04fce75a59bf5a41650d58893eff7e1b99d82a8c08172c8079054c3a9edbd221e691aa97f2276cc0d1d1fa4de6c24d7be5fb64
SSDEEP

49152:MyymmE0wLtAeK7aL5maghzJlLbZMa+K6:M94tAHC5/6lLNHH

Score

10^/10

amadey healer dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

C2

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Targets

- Target
  
  33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics
- Size
  
  1.7MB
- MD5
  
  33afe0d9831bf1b5c5f68486a6b78b70
- SHA1
  
  b8072fe876bbb198eaa3585b23f893d01aa333b8
- SHA256
  
  1ce34eb3e4f496807e4fc1b26909664c47bf47918645aee30725f2e02409d519
- SHA512
  
  c8b5c03666bb47649a006aa9aa04fce75a59bf5a41650d58893eff7e1b99d82a8c08172c8079054c3a9edbd221e691aa97f2276cc0d1d1fa4de6c24d7be5fb64
- SSDEEP
  
  49152:MyymmE0wLtAeK7aL5maghzJlLbZMa+K6:M94tAHC5/6lLNHH
Score

10^/10

amadey healer dropper evasion persistence trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

amadeyhealerdropperevasionpersistencetrojan