General

  • Target

    dfabfe5ff3f2ef676c2a249a1eeb177fb9f70133d9f4d17d2089a823d88665ccN.exe

  • Size

    526KB

  • Sample

    250216-xfcnxswjaw

  • MD5

    256f594357c847885ff90b77faf824d0

  • SHA1

    b191c03b58967f8612ac4689c9fbb10f8b3a03c6

  • SHA256

    dfabfe5ff3f2ef676c2a249a1eeb177fb9f70133d9f4d17d2089a823d88665cc

  • SHA512

    29ca64c4dbfc8ef504ce0f8e66df32fdfea0e227e448fb3b6bd6ecf14a06960cb3df4ada0f7f44a4ecb3ac6e65f0ce324f725648bca94699f284c50d3ff3bfdb

  • SSDEEP

    12288:SMrny90okp3rPkhFUCjj1ph5qTE5bsAlV4t//8pLl:py/MQhFUQDqT+C8pLl

Malware Config

Extracted

Family

amadey

Version

3.66

Botnet

47d0a3

C2

http://62.204.41.5

Attributes
  • install_dir

    5eb6b96734

  • install_file

    mnolyk.exe

  • strings_key

    4e2443c99695fdd2c1517b867af1bc22

  • url_paths

    /Bu58Ngs/index.php

rc4.plain

Targets

    • Target

      dfabfe5ff3f2ef676c2a249a1eeb177fb9f70133d9f4d17d2089a823d88665ccN.exe

    • Size

      526KB

    • MD5

      256f594357c847885ff90b77faf824d0

    • SHA1

      b191c03b58967f8612ac4689c9fbb10f8b3a03c6

    • SHA256

      dfabfe5ff3f2ef676c2a249a1eeb177fb9f70133d9f4d17d2089a823d88665cc

    • SHA512

      29ca64c4dbfc8ef504ce0f8e66df32fdfea0e227e448fb3b6bd6ecf14a06960cb3df4ada0f7f44a4ecb3ac6e65f0ce324f725648bca94699f284c50d3ff3bfdb

    • SSDEEP

      12288:SMrny90okp3rPkhFUCjj1ph5qTE5bsAlV4t//8pLl:py/MQhFUQDqT+C8pLl

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Amadey family

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

    • Healer family

    • Modifies Windows Defender DisableAntiSpyware settings

    • Modifies Windows Defender Real-time Protection settings

    • Modifies Windows Defender TamperProtection settings

    • Modifies Windows Defender notification settings

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks