amadey | f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16

General

Target

file.exe
Size

359KB
MD5

6b9df39ff3bc394a9aa4ca61ed44c281
SHA1

0493642d0e978c91463716a6e2a0ac2efe4f4bef
SHA256

f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
SHA512

a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
SSDEEP

6144:G9X5jyr2LSFHl90ezQ5louvgclYgHq50TScoCF:G9XVyyeFHl901TnHq52FxF

Score

10^/10

amadey redline 7777777 infostealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

7777777

C2

185.106.92.214:2510

Attributes

auth_value
963a3fad67ade8410f4a236f4101f611

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

gntuud.exeanon.exe

pid process

4912 gntuud.exe
1584 anon.exe

pid	process
4912	gntuud.exe
1584	anon.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

440 4868 WerFault.exe file.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2056 schtasks.exe

pid	pid_target	process	target process
440	4868	WerFault.exe	file.exe

pid	process
2056	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

file.exegntuud.exe

description	pid	process	target process
PID 4868 wrote to memory of 4912	4868	file.exe	gntuud.exe
PID 4868 wrote to memory of 4912	4868	file.exe	gntuud.exe
PID 4868 wrote to memory of 4912	4868	file.exe	gntuud.exe
PID 4912 wrote to memory of 2056	4912	gntuud.exe	schtasks.exe
PID 4912 wrote to memory of 2056	4912	gntuud.exe	schtasks.exe
PID 4912 wrote to memory of 2056	4912	gntuud.exe	schtasks.exe
PID 4912 wrote to memory of 2436	4912	gntuud.exe	rundll32.exe
PID 4912 wrote to memory of 2436	4912	gntuud.exe	rundll32.exe
PID 4912 wrote to memory of 2436	4912	gntuud.exe	rundll32.exe
PID 4912 wrote to memory of 1584	4912	gntuud.exe	anon.exe
PID 4912 wrote to memory of 1584	4912	gntuud.exe	anon.exe
PID 4912 wrote to memory of 1584	4912	gntuud.exe	anon.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:2056

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\1000010001\anon.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\anon.exe"
3⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 868
2⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4868 -ip 4868
1⤵
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000010001\anon.exe
Filesize
175KB

MD5
3f52500b3f5b5c3fd52472cc3c82732e

SHA1
2f6ad3c03bb75104395c13f24f71a2292071c93b

SHA256
7d1b267f53db09f05ccf77a35c93abeb4918f76e1439cc049074845271b10ec2

SHA512
c65978b53a8a60035bb2ee368bf7f6d5e8b195f0e99aec027320d95eaa037b255349b226db5f7412014f847f45b8cb75f462ab52049ac8f9b9292ca01df9456a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
359KB

MD5
6b9df39ff3bc394a9aa4ca61ed44c281

SHA1
0493642d0e978c91463716a6e2a0ac2efe4f4bef

SHA256
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16

SHA512
a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
359KB

MD5
6b9df39ff3bc394a9aa4ca61ed44c281

SHA1
0493642d0e978c91463716a6e2a0ac2efe4f4bef

SHA256
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16

SHA512
a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327

Download Submit
memory/1584-144-0x0000000000000000-mapping.dmp

Download
memory/2056-142-0x0000000000000000-mapping.dmp

Download
memory/2436-143-0x0000000000000000-mapping.dmp

Download
memory/4868-133-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4868-134-0x0000000000553000-0x0000000000572000-memory.dmp

Filesize
124KB

Download
memory/4868-132-0x0000000000553000-0x0000000000572000-memory.dmp

Filesize
124KB

Download
memory/4868-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-135-0x0000000000000000-mapping.dmp

Download
memory/4912-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-140-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/4912-139-0x0000000000763000-0x0000000000782000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads