amadey | 593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a

Analysis

max time kernel
110s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192e88e390afbdafb38d4273d5031deb.exe
Size

241KB
MD5

192e88e390afbdafb38d4273d5031deb
SHA1

8a9b778f7142c65d99aad99cc3753b8ec95919fc
SHA256

593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a
SHA512

9e61e55651af48eac6039ec8215dcd20fcc44a8d45712dcedb3465b92f82ff260c2e55468217d412cfa348d8fcfb5b7988b54f3f9db49c67d858c637315ff900
SSDEEP

6144:3BizIWRzBISIiLaliSMrf5ujpmzqaw5LiS:3a/axMNujpcqaw4S

Score

10^/10

amadey redline bred collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

bred

77.73.134.251:4691

Attributes

auth_value
0e8ad10c690c62fa90b012542647f121

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module
behavioral2/memory/3776-156-0x00000000005A0000-0x00000000005C4000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000012001\bre.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000012001\bre.exe	family_redline
behavioral2/memory/520-139-0x0000000000930000-0x0000000000958000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

34 3776 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

rovwer.exebre.exerovwer.exerovwer.exe

pid process

4844 rovwer.exe
520 bre.exe
2432 rovwer.exe
4292 rovwer.exe

flow	pid	process
34	3776	rundll32.exe

pid	process
4844	rovwer.exe
520	bre.exe
2432	rovwer.exe
4292	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rovwer.exe192e88e390afbdafb38d4273d5031deb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	192e88e390afbdafb38d4273d5031deb.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

3776 rundll32.exe
3776 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3776	rundll32.exe
3776	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bre.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000012001\\bre.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1124 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

bre.exerundll32.exe

pid process

520 bre.exe
520 bre.exe
3776 rundll32.exe
3776 rundll32.exe
3776 rundll32.exe
3776 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bre.exe

description pid process

Token: SeDebugPrivilege 520 bre.exe

pid	process
1124	schtasks.exe

pid	process
520	bre.exe
520	bre.exe
3776	rundll32.exe
3776	rundll32.exe
3776	rundll32.exe
3776	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	520	bre.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

192e88e390afbdafb38d4273d5031deb.exerovwer.exe

description	pid	process	target process
PID 5060 wrote to memory of 4844	5060	192e88e390afbdafb38d4273d5031deb.exe	rovwer.exe
PID 5060 wrote to memory of 4844	5060	192e88e390afbdafb38d4273d5031deb.exe	rovwer.exe
PID 5060 wrote to memory of 4844	5060	192e88e390afbdafb38d4273d5031deb.exe	rovwer.exe
PID 4844 wrote to memory of 1124	4844	rovwer.exe	schtasks.exe
PID 4844 wrote to memory of 1124	4844	rovwer.exe	schtasks.exe
PID 4844 wrote to memory of 1124	4844	rovwer.exe	schtasks.exe
PID 4844 wrote to memory of 520	4844	rovwer.exe	bre.exe
PID 4844 wrote to memory of 520	4844	rovwer.exe	bre.exe
PID 4844 wrote to memory of 520	4844	rovwer.exe	bre.exe
PID 4844 wrote to memory of 3776	4844	rovwer.exe	rundll32.exe
PID 4844 wrote to memory of 3776	4844	rovwer.exe	rundll32.exe
PID 4844 wrote to memory of 3776	4844	rovwer.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\192e88e390afbdafb38d4273d5031deb.exe
"C:\Users\Admin\AppData\Local\Temp\192e88e390afbdafb38d4273d5031deb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:1124

C:\Users\Admin\AppData\Local\Temp\1000012001\bre.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\bre.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:3776

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:4292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000012001\bre.exe

Filesize
137KB

MD5
7357ebff6a98df7135b5b4be8ff5451d

SHA1
7ea82d17eb6d7b1a4c5a2d5240a1ca63bc9809e1

SHA256
54ab734131bcbfaded15776d689015fb747cc7919b70b2d8b1808e103bacebb4

SHA512
5a23c49b243610ca82ca0308d1b01341da22a59cdaf62b682ee2333bc2e4465c875f5a78f422a2281d9684d76e116bdebcaad98f31e9717db65e4b6779a85fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\bre.exe

Filesize
137KB

MD5
7357ebff6a98df7135b5b4be8ff5451d

SHA1
7ea82d17eb6d7b1a4c5a2d5240a1ca63bc9809e1

SHA256
54ab734131bcbfaded15776d689015fb747cc7919b70b2d8b1808e103bacebb4

SHA512
5a23c49b243610ca82ca0308d1b01341da22a59cdaf62b682ee2333bc2e4465c875f5a78f422a2281d9684d76e116bdebcaad98f31e9717db65e4b6779a85fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
241KB

MD5
192e88e390afbdafb38d4273d5031deb

SHA1
8a9b778f7142c65d99aad99cc3753b8ec95919fc

SHA256
593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a

SHA512
9e61e55651af48eac6039ec8215dcd20fcc44a8d45712dcedb3465b92f82ff260c2e55468217d412cfa348d8fcfb5b7988b54f3f9db49c67d858c637315ff900

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
241KB

MD5
192e88e390afbdafb38d4273d5031deb

SHA1
8a9b778f7142c65d99aad99cc3753b8ec95919fc

SHA256
593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a

SHA512
9e61e55651af48eac6039ec8215dcd20fcc44a8d45712dcedb3465b92f82ff260c2e55468217d412cfa348d8fcfb5b7988b54f3f9db49c67d858c637315ff900

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
241KB

MD5
192e88e390afbdafb38d4273d5031deb

SHA1
8a9b778f7142c65d99aad99cc3753b8ec95919fc

SHA256
593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a

SHA512
9e61e55651af48eac6039ec8215dcd20fcc44a8d45712dcedb3465b92f82ff260c2e55468217d412cfa348d8fcfb5b7988b54f3f9db49c67d858c637315ff900

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
241KB

MD5
192e88e390afbdafb38d4273d5031deb

SHA1
8a9b778f7142c65d99aad99cc3753b8ec95919fc

SHA256
593505e03743f43ae5b3d0ed815fc0416f55b5bed2ac1bbf13f95f6214a2fc9a

SHA512
9e61e55651af48eac6039ec8215dcd20fcc44a8d45712dcedb3465b92f82ff260c2e55468217d412cfa348d8fcfb5b7988b54f3f9db49c67d858c637315ff900

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll

Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
memory/520-144-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/520-150-0x0000000007360000-0x000000000788C000-memory.dmp

Filesize
5.2MB

Download
memory/520-143-0x0000000005340000-0x000000000537C000-memory.dmp

Filesize
240KB

Download
memory/520-136-0x0000000000000000-mapping.dmp

Download
memory/520-145-0x0000000006460000-0x0000000006A04000-memory.dmp

Filesize
5.6MB

Download
memory/520-146-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/520-147-0x0000000006A10000-0x0000000006A86000-memory.dmp

Filesize
472KB

Download
memory/520-148-0x0000000006400000-0x0000000006450000-memory.dmp

Filesize
320KB

Download
memory/520-149-0x0000000006C60000-0x0000000006E22000-memory.dmp

Filesize
1.8MB

Download
memory/520-142-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/520-141-0x00000000053B0000-0x00000000054BA000-memory.dmp

Filesize
1.0MB

Download
memory/520-139-0x0000000000930000-0x0000000000958000-memory.dmp

Filesize
160KB

Download
memory/520-140-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/1124-135-0x0000000000000000-mapping.dmp

Download
memory/3776-156-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/3776-152-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download