General

  • Target

    e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3N.exe

  • Size

    523KB

  • Sample

    241125-ctwnqsynhj

  • MD5

    e66eb7d5d3bade97cbad376b528b9850

  • SHA1

    c5f9a7261a97754de5e3ef5876ad3b76d148121e

  • SHA256

    e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3

  • SHA512

    b9eb5e6979a787b8b08befa7f2e3ab831e9137a94561f30a129c11c49bed91416a8e034c5bc0d7e28209101cf0263087e18390352d3c27ece39cdd490a595176

  • SSDEEP

    12288:ZMrHy904UVvH8QgMIaDXnIOZiv6DcYq9vW1v94+r:iyUVEs9D31ZigcYT14Q

Malware Config

Extracted

Family

amadey

Version

3.66

Botnet

47d0a3

C2

http://62.204.41.5

Attributes
  • install_dir

    5eb6b96734

  • install_file

    mnolyk.exe

  • strings_key

    4e2443c99695fdd2c1517b867af1bc22

  • url_paths

    /Bu58Ngs/index.php

rc4.plain

Targets

    • Target

      e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3N.exe

    • Size

      523KB

    • MD5

      e66eb7d5d3bade97cbad376b528b9850

    • SHA1

      c5f9a7261a97754de5e3ef5876ad3b76d148121e

    • SHA256

      e6777729c54a4cef7278153172179f771406b01833f3fee96312a92373cdddb3

    • SHA512

      b9eb5e6979a787b8b08befa7f2e3ab831e9137a94561f30a129c11c49bed91416a8e034c5bc0d7e28209101cf0263087e18390352d3c27ece39cdd490a595176

    • SSDEEP

      12288:ZMrHy904UVvH8QgMIaDXnIOZiv6DcYq9vW1v94+r:iyUVEs9D31ZigcYT14Q

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender Real-time Protection settings

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks