Overview

overview

10

Static

static

3

6cb4137cb7...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6cb4137cb7e29807e2044a791bde68687eda33a963906bc6516ead304075be56.exe

  • Size

    589KB

  • Sample

    250207-3wj1tsvqbn

  • MD5

    0f3eadc3ab8541461b82a4cb7a06d2fd

  • SHA1

    98768d1dc1fd7a105c37a2867a57c6ea098a0afe

  • SHA256

    6cb4137cb7e29807e2044a791bde68687eda33a963906bc6516ead304075be56

  • SHA512

    f6a51063d1deeb496ac7cb963a76585e4fc5ecfdca3a849b1f91efeb042c559834e6ca74b98b3e03f33d82379a43f68b28fb320985121189c8ff101610cd1028

  • SSDEEP

    12288:yMrcy90/R9/Oi6+TuHl0em1kqtKmENNfgAchF+DThTFDt2dYS1U5alR:KyE9/7Cl0aqtKFNQhFuHDcddMalR

Score
10/10
amadeyhealerb50502defense_evasiondiscoverydropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.70

Botnet

b50502

C2

http://77.91.124.207

Attributes
  • install_dir

    595f021478

  • install_file

    oneetx.exe

  • strings_key

    6e3d32d239380a49b6f83128fe71ea01

  • url_paths

    /plays/chapter/index.php

rc4.plain

Targets

    • Target

      6cb4137cb7e29807e2044a791bde68687eda33a963906bc6516ead304075be56.exe

    • Size

      589KB

    • MD5

      0f3eadc3ab8541461b82a4cb7a06d2fd

    • SHA1

      98768d1dc1fd7a105c37a2867a57c6ea098a0afe

    • SHA256

      6cb4137cb7e29807e2044a791bde68687eda33a963906bc6516ead304075be56

    • SHA512

      f6a51063d1deeb496ac7cb963a76585e4fc5ecfdca3a849b1f91efeb042c559834e6ca74b98b3e03f33d82379a43f68b28fb320985121189c8ff101610cd1028

    • SSDEEP

      12288:yMrcy90/R9/Oi6+TuHl0em1kqtKmENNfgAchF+DThTFDt2dYS1U5alR:KyE9/7Cl0aqtKFNQhFuHDcddMalR

    Score
    10/10
    amadeyhealerb50502defense_evasiondiscoverydropperevasionpersistencetrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Amadey family

      amadey

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Healer family

      healer

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      defense_evasiontrojan

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks