amadey | bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

Analysis

max time kernel
144s
max time network
173s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

245KB
MD5

b5820c0fb930ee3460da54f05ef51d8c
SHA1

b7d81bf3035aa2110edda9feeb64b1bb7c2b5939
SHA256

bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9
SHA512

9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef
SSDEEP

3072:wBk7t4IJ+LQB4Wsw65r+64ek7sAE+I7h5S7TcJ3NqvEjEPH71Cmv3DWkJ4ViOte3:n7ULQB4Hz+Teescg3S3cdQEEHBekJ6g

Score

10^/10

amadey redline novr collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

novr

31.41.244.14:4694

Attributes

auth_value
34ddf4eb9326256f20a48cd5f1e9b496

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1000121001\lada.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe	family_redline
behavioral1/memory/1768-73-0x0000000000D80000-0x0000000000DA8000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 1132 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

rovwer.exelada.exerovwer.exerovwer.exe

pid process

1824 rovwer.exe
1768 lada.exe
1788 rovwer.exe
1996 rovwer.exe
Loads dropped DLL 7 IoCs

Processes:

file.exerovwer.exerundll32.exe

pid process

2016 file.exe
2016 file.exe
1824 rovwer.exe
1132 rundll32.exe
1132 rundll32.exe
1132 rundll32.exe
1132 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
9	1132	rundll32.exe

pid	process
1824	rovwer.exe
1768	lada.exe
1788	rovwer.exe
1996	rovwer.exe

pid	process
2016	file.exe
2016	file.exe
1824	rovwer.exe
1132	rundll32.exe
1132	rundll32.exe
1132	rundll32.exe
1132	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000121001\\lada.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1552 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

lada.exerundll32.exe

pid process

1768 lada.exe
1132 rundll32.exe
1132 rundll32.exe
1132 rundll32.exe
1132 rundll32.exe
1768 lada.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lada.exe

description pid process

Token: SeDebugPrivilege 1768 lada.exe

pid	process
1552	schtasks.exe

pid	process
1768	lada.exe
1132	rundll32.exe
1132	rundll32.exe
1132	rundll32.exe
1132	rundll32.exe
1768	lada.exe

description	pid	process
Token: SeDebugPrivilege	1768	lada.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

file.exerovwer.exetaskeng.exe

description	pid	process	target process
PID 2016 wrote to memory of 1824	2016	file.exe	rovwer.exe
PID 2016 wrote to memory of 1824	2016	file.exe	rovwer.exe
PID 2016 wrote to memory of 1824	2016	file.exe	rovwer.exe
PID 2016 wrote to memory of 1824	2016	file.exe	rovwer.exe
PID 1824 wrote to memory of 1552	1824	rovwer.exe	schtasks.exe
PID 1824 wrote to memory of 1552	1824	rovwer.exe	schtasks.exe
PID 1824 wrote to memory of 1552	1824	rovwer.exe	schtasks.exe
PID 1824 wrote to memory of 1552	1824	rovwer.exe	schtasks.exe
PID 1824 wrote to memory of 1768	1824	rovwer.exe	lada.exe
PID 1824 wrote to memory of 1768	1824	rovwer.exe	lada.exe
PID 1824 wrote to memory of 1768	1824	rovwer.exe	lada.exe
PID 1824 wrote to memory of 1768	1824	rovwer.exe	lada.exe
PID 1156 wrote to memory of 1788	1156	taskeng.exe	rovwer.exe
PID 1156 wrote to memory of 1788	1156	taskeng.exe	rovwer.exe
PID 1156 wrote to memory of 1788	1156	taskeng.exe	rovwer.exe
PID 1156 wrote to memory of 1788	1156	taskeng.exe	rovwer.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1824 wrote to memory of 1132	1824	rovwer.exe	rundll32.exe
PID 1156 wrote to memory of 1996	1156	taskeng.exe	rovwer.exe
PID 1156 wrote to memory of 1996	1156	taskeng.exe	rovwer.exe
PID 1156 wrote to memory of 1996	1156	taskeng.exe	rovwer.exe
PID 1156 wrote to memory of 1996	1156	taskeng.exe	rovwer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:1552

C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1132

C:\Windows\system32\taskeng.exe
taskeng.exe {5B92D95E-8BDE-4E27-93EF-A1AB1A41929B} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
2⤵
- Executes dropped EXE
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe

Filesize
137KB

MD5
bae3fb566c191522bab2bde67c482767

SHA1
7da8b30a638ff9f943cf03b32a4f254273990708

SHA256
3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

SHA512
f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000121001\lada.exe

Filesize
137KB

MD5
bae3fb566c191522bab2bde67c482767

SHA1
7da8b30a638ff9f943cf03b32a4f254273990708

SHA256
3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

SHA512
f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
245KB

MD5
b5820c0fb930ee3460da54f05ef51d8c

SHA1
b7d81bf3035aa2110edda9feeb64b1bb7c2b5939

SHA256
bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

SHA512
9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
245KB

MD5
b5820c0fb930ee3460da54f05ef51d8c

SHA1
b7d81bf3035aa2110edda9feeb64b1bb7c2b5939

SHA256
bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

SHA512
9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
245KB

MD5
b5820c0fb930ee3460da54f05ef51d8c

SHA1
b7d81bf3035aa2110edda9feeb64b1bb7c2b5939

SHA256
bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

SHA512
9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
245KB

MD5
b5820c0fb930ee3460da54f05ef51d8c

SHA1
b7d81bf3035aa2110edda9feeb64b1bb7c2b5939

SHA256
bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

SHA512
9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef

Download Submit
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
\Users\Admin\AppData\Local\Temp\1000121001\lada.exe

Filesize
137KB

MD5
bae3fb566c191522bab2bde67c482767

SHA1
7da8b30a638ff9f943cf03b32a4f254273990708

SHA256
3ed2170e83cce59a98471509fb4a84090f2ddcb38549a191663d5fbd05612e01

SHA512
f9859aba46d440df5dd10059a95708acdd45cca36339867ee654c271f4bb065f6c58005eadadc9a954c35078986402d2f379d5cf3c10484c603ae262d38e1f46

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
245KB

MD5
b5820c0fb930ee3460da54f05ef51d8c

SHA1
b7d81bf3035aa2110edda9feeb64b1bb7c2b5939

SHA256
bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

SHA512
9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
245KB

MD5
b5820c0fb930ee3460da54f05ef51d8c

SHA1
b7d81bf3035aa2110edda9feeb64b1bb7c2b5939

SHA256
bf24fcd67a5e4bfe47d5d7bceccf2dd7af585c44edf4f68bb86c2d2e6149c8a9

SHA512
9ae65a51ef59622adfcef7bfcbb38adb6b94f5bc54dc6347416726129d75c82946199197ae414c1feaf651f22664d4a8b2735feb3cba3fccf66c0983719c9aef

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll

Filesize
126KB

MD5
674cec24e36e0dfaec6290db96dda86e

SHA1
581e3a7a541cc04641e751fc850d92e07236681f

SHA256
de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

SHA512
6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

Download Submit
memory/1132-80-0x0000000000000000-mapping.dmp

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download
memory/1768-73-0x0000000000D80000-0x0000000000DA8000-memory.dmp

Filesize
160KB

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download
memory/1788-75-0x0000000000000000-mapping.dmp

Download
memory/1788-78-0x000000000084B000-0x000000000086A000-memory.dmp

Filesize
124KB

Download
memory/1788-79-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/1824-67-0x000000000030B000-0x000000000032A000-memory.dmp

Filesize
124KB

Download
memory/1824-68-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/1824-59-0x0000000000000000-mapping.dmp

Download
memory/1996-87-0x0000000000000000-mapping.dmp

Download
memory/1996-90-0x00000000007DB000-0x00000000007FA000-memory.dmp

Filesize
124KB

Download
memory/1996-91-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2016-56-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2016-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2016-61-0x000000000079B000-0x00000000007BA000-memory.dmp

Filesize
124KB

Download
memory/2016-63-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2016-62-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2016-55-0x000000000079B000-0x00000000007BA000-memory.dmp

Filesize
124KB

Download