General

  • Target

    ed20f0165373015a0684faa63ed68ea97ef7a4f5198cfde73123b5e6b41ebe04

  • Size

    1.1MB

  • Sample

    241110-dv2f2sycpk

  • MD5

    86e574e79628b7b92f2eb4a9445e0652

  • SHA1

    7b1a12c40d3c3348b78603631c6834a4c89512ce

  • SHA256

    ed20f0165373015a0684faa63ed68ea97ef7a4f5198cfde73123b5e6b41ebe04

  • SHA512

    a7cf2e48484bf4d0664effd711e779d1d318d126a42a21b8b4da5738f5c411beab9acb4f0e529ede1af43cfc2a69b119dcdcfbdbe3703527f8e0a1b87b14e5d6

  • SSDEEP

    24576:hyAoQ0BcmAkuFeSGpcdCba789sFjcEmehqpmdoC:UAoQ0q7FeS9kbaQ9cjcFDYdo

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Targets

    • Target

      ed20f0165373015a0684faa63ed68ea97ef7a4f5198cfde73123b5e6b41ebe04

    • Size

      1.1MB

    • MD5

      86e574e79628b7b92f2eb4a9445e0652

    • SHA1

      7b1a12c40d3c3348b78603631c6834a4c89512ce

    • SHA256

      ed20f0165373015a0684faa63ed68ea97ef7a4f5198cfde73123b5e6b41ebe04

    • SHA512

      a7cf2e48484bf4d0664effd711e779d1d318d126a42a21b8b4da5738f5c411beab9acb4f0e529ede1af43cfc2a69b119dcdcfbdbe3703527f8e0a1b87b14e5d6

    • SSDEEP

      24576:hyAoQ0BcmAkuFeSGpcdCba789sFjcEmehqpmdoC:UAoQ0q7FeS9kbaQ9cjcFDYdo

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks