General

  • Target

    f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6

  • Size

    377KB

  • Sample

    241109-ec2jrsxaqd

  • MD5

    da475cf499bff55e24a694ebeb54bc4a

  • SHA1

    2b317bc29480f30a73acc099f88b7791671aba35

  • SHA256

    f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6

  • SHA512

    af2cc12baa0b3c6ef83171b4b5cff8a99ba7ac4fe677f3ea72c80d21e6d63d30a3cba7b7c1bcb46881c8f73139096f2604149867354c685f8eaffbdc4b1d46fd

  • SSDEEP

    6144:Khy+bnr+Hp0yN90QEiJV5Qrp5HaBdYi5CwJkVzCqbUlA4v4axiuKZeHPJ4yBw:PMrPy90QTQrpZARbJk5pbUlHQK1KkPil

Malware Config

Extracted

Family

amadey

Version

3.81

Botnet

f9a925

C2

http://77.91.124.20

Attributes
  • install_dir

    c3912af058

  • install_file

    oneetx.exe

  • strings_key

    0504ce46646b0dc397a3c30d6692ec75

  • url_paths

    /store/games/index.php

rc4.plain

Targets

    • Target

      f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6

    • Size

      377KB

    • MD5

      da475cf499bff55e24a694ebeb54bc4a

    • SHA1

      2b317bc29480f30a73acc099f88b7791671aba35

    • SHA256

      f5d574bf71adcc60081ad86beff6498d4ffcb701332829a1db36a870156aebc6

    • SHA512

      af2cc12baa0b3c6ef83171b4b5cff8a99ba7ac4fe677f3ea72c80d21e6d63d30a3cba7b7c1bcb46881c8f73139096f2604149867354c685f8eaffbdc4b1d46fd

    • SSDEEP

      6144:Khy+bnr+Hp0yN90QEiJV5Qrp5HaBdYi5CwJkVzCqbUlA4v4axiuKZeHPJ4yBw:PMrPy90QTQrpZARbJk5pbUlHQK1KkPil

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks