General
-
Target
e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3N.exe
-
Size
523KB
-
Sample
241125-ctwnqsynhj
-
MD5
e66eb7d5d3bade97cbad376b528b9850
-
SHA1
c5f9a7261a97754de5e3ef5876ad3b76d148121e
-
SHA256
e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3
-
SHA512
b9eb5e6979a787b8b08befa7f2e3ab831e9137a94561f30a129c11c49bed91416a8e034c5bc0d7e28209101cf0263087e18390352d3c27ece39cdd490a595176
-
SSDEEP
12288:ZMrHy904UVvH8QgMIaDXnIOZiv6DcYq9vW1v94+r:iyUVEs9D31ZigcYT14Q
Static task
static1
Malware Config
Extracted
amadey
3.66
47d0a3
http://62.204.41.5
-
install_dir
5eb6b96734
-
install_file
mnolyk.exe
-
strings_key
4e2443c99695fdd2c1517b867af1bc22
-
url_paths
/Bu58Ngs/index.php
Targets
-
-
Target
e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3N.exe
-
Size
523KB
-
MD5
e66eb7d5d3bade97cbad376b528b9850
-
SHA1
c5f9a7261a97754de5e3ef5876ad3b76d148121e
-
SHA256
e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3
-
SHA512
b9eb5e6979a787b8b08befa7f2e3ab831e9137a94561f30a129c11c49bed91416a8e034c5bc0d7e28209101cf0263087e18390352d3c27ece39cdd490a595176
-
SSDEEP
12288:ZMrHy904UVvH8QgMIaDXnIOZiv6DcYq9vW1v94+r:iyUVEs9D31ZigcYT14Q
-
Amadey family
-
Detects Healer an antivirus disabler dropper
-
Healer family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1