amadey | 9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa

Analysis

max time kernel
186s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe
Size

795KB
MD5

790a759fe513a457d7320b546b1de836
SHA1

887d0acbd18898cfce25dae7ff748a7ac8570da9
SHA256

9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa
SHA512

f2140681692c8b383c8d2b1fa60a2174464c93cc1101c595c0868b954a03df537b0b2b3a3c6c4de6317abe9b231636ab1ad45c9e5eafb617de0c597079102c41
SSDEEP

24576:6y95zZLCc588icjIHLTnXnqjnvLzC9z+sB05c:B95NLCc588ii23Xnr7W

Score

10^/10

amadey redline fusa discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fusa

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

amadey

Version

3.66

62.204.41.5/Bu58Ngs/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mpp15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Executes dropped EXE 6 IoCs

pid	Process
5084	saQ24Ho.exe
4232	sHo61Sk.exe
4980	kLd23Cq.exe
3708	mpp15.exe
3640	mnolyk.exe
2052	nNN87Kt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	saQ24Ho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	saQ24Ho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sHo61Sk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sHo61Sk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2520	2052	WerFault.exe	86

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4980	kLd23Cq.exe
4980	kLd23Cq.exe
2052	nNN87Kt.exe
2052	nNN87Kt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	kLd23Cq.exe
Token: SeDebugPrivilege	2052	nNN87Kt.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 5084	2152	9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe	81
PID 2152 wrote to memory of 5084	2152	9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe	81
PID 2152 wrote to memory of 5084	2152	9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe	81
PID 5084 wrote to memory of 4232	5084	saQ24Ho.exe	82
PID 5084 wrote to memory of 4232	5084	saQ24Ho.exe	82
PID 5084 wrote to memory of 4232	5084	saQ24Ho.exe	82
PID 4232 wrote to memory of 4980	4232	sHo61Sk.exe	83
PID 4232 wrote to memory of 4980	4232	sHo61Sk.exe	83
PID 4232 wrote to memory of 4980	4232	sHo61Sk.exe	83
PID 4232 wrote to memory of 3708	4232	sHo61Sk.exe	84
PID 4232 wrote to memory of 3708	4232	sHo61Sk.exe	84
PID 4232 wrote to memory of 3708	4232	sHo61Sk.exe	84
PID 3708 wrote to memory of 3640	3708	mpp15.exe	85
PID 3708 wrote to memory of 3640	3708	mpp15.exe	85
PID 3708 wrote to memory of 3640	3708	mpp15.exe	85
PID 5084 wrote to memory of 2052	5084	saQ24Ho.exe	86
PID 5084 wrote to memory of 2052	5084	saQ24Ho.exe	86
PID 5084 wrote to memory of 2052	5084	saQ24Ho.exe	86
PID 3640 wrote to memory of 1920	3640	mnolyk.exe	87
PID 3640 wrote to memory of 1920	3640	mnolyk.exe	87
PID 3640 wrote to memory of 1920	3640	mnolyk.exe	87
PID 3640 wrote to memory of 1360	3640	mnolyk.exe	89
PID 3640 wrote to memory of 1360	3640	mnolyk.exe	89
PID 3640 wrote to memory of 1360	3640	mnolyk.exe	89
PID 1360 wrote to memory of 3376	1360	cmd.exe	91
PID 1360 wrote to memory of 3376	1360	cmd.exe	91
PID 1360 wrote to memory of 3376	1360	cmd.exe	91
PID 1360 wrote to memory of 4688	1360	cmd.exe	92
PID 1360 wrote to memory of 4688	1360	cmd.exe	92
PID 1360 wrote to memory of 4688	1360	cmd.exe	92
PID 1360 wrote to memory of 4888	1360	cmd.exe	93
PID 1360 wrote to memory of 4888	1360	cmd.exe	93
PID 1360 wrote to memory of 4888	1360	cmd.exe	93
PID 1360 wrote to memory of 1276	1360	cmd.exe	94
PID 1360 wrote to memory of 1276	1360	cmd.exe	94
PID 1360 wrote to memory of 1276	1360	cmd.exe	94
PID 1360 wrote to memory of 3152	1360	cmd.exe	95
PID 1360 wrote to memory of 3152	1360	cmd.exe	95
PID 1360 wrote to memory of 3152	1360	cmd.exe	95
PID 1360 wrote to memory of 4896	1360	cmd.exe	96
PID 1360 wrote to memory of 4896	1360	cmd.exe	96
PID 1360 wrote to memory of 4896	1360	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe
"C:\Users\Admin\AppData\Local\Temp\9e37626339446505a24dc114e64399a581a95156e9e75ca5f0d7ab512ee626aa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\saQ24Ho.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\saQ24Ho.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sHo61Sk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sHo61Sk.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLd23Cq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLd23Cq.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mpp15.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mpp15.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        7⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        7⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5eb6b96734" /P "Admin:N"
        7⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5eb6b96734" /P "Admin:R" /E
        7⤵
        
        PID:4896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNN87Kt.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNN87Kt.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1728
      4⤵
      Program crash
      PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2052 -ip 2052
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\saQ24Ho.exe

Filesize
691KB

MD5
774eea7e5e7bac6e2f647665fb22b010

SHA1
551231d31fe1f5698b6ffbef0f33077ba819481c

SHA256
0de44dba4ce059ed388d517d95361a6401b50ae59a9479c4562b2a2c1a7df2a0

SHA512
ba4068667b00193ffe7c4e7fdb52a1dfc67085124515e401fbcda52e4cb574bf8e18a205f3953f3a27abf3acf77814c5508e3391afd33ef3a8985639974bc91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\saQ24Ho.exe

Filesize
691KB

MD5
774eea7e5e7bac6e2f647665fb22b010

SHA1
551231d31fe1f5698b6ffbef0f33077ba819481c

SHA256
0de44dba4ce059ed388d517d95361a6401b50ae59a9479c4562b2a2c1a7df2a0

SHA512
ba4068667b00193ffe7c4e7fdb52a1dfc67085124515e401fbcda52e4cb574bf8e18a205f3953f3a27abf3acf77814c5508e3391afd33ef3a8985639974bc91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNN87Kt.exe

Filesize
479KB

MD5
025cb38b9df5a2aad5c56de55d8d5e91

SHA1
3e208fb7cd6c718268a272e349daa206d7af8989

SHA256
f1aff3dc1d39ee6806207754202fc9694115dcf9cd0a2423c8413195d9907804

SHA512
f2b72666ac2d098c280a34238eb07d3dc363dcd12225ceddecb2a8626ae2e556883259c6623f92b9b613d16c764c38485155c846eabe48fd150a0e70e5dc944f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nNN87Kt.exe

Filesize
479KB

MD5
025cb38b9df5a2aad5c56de55d8d5e91

SHA1
3e208fb7cd6c718268a272e349daa206d7af8989

SHA256
f1aff3dc1d39ee6806207754202fc9694115dcf9cd0a2423c8413195d9907804

SHA512
f2b72666ac2d098c280a34238eb07d3dc363dcd12225ceddecb2a8626ae2e556883259c6623f92b9b613d16c764c38485155c846eabe48fd150a0e70e5dc944f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sHo61Sk.exe

Filesize
286KB

MD5
b91ee93e3c7786bb78da05fbb151fcac

SHA1
4198d45e5d2d1d042de1759d5c178cf2a9d3c4ee

SHA256
42b79f841fcc6435a79d9dabd850a7d3df7d7905fe89256cc98be4c917c79e4e

SHA512
eaf33e3a7ef6368db6c9153e29b5330e366de8c953e6f9ae0d2fa3e47ce15982552e70fcc4827442eeca8dc32b803b4f34ec7b8caf8833ab5e358a2571743d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sHo61Sk.exe

Filesize
286KB

MD5
b91ee93e3c7786bb78da05fbb151fcac

SHA1
4198d45e5d2d1d042de1759d5c178cf2a9d3c4ee

SHA256
42b79f841fcc6435a79d9dabd850a7d3df7d7905fe89256cc98be4c917c79e4e

SHA512
eaf33e3a7ef6368db6c9153e29b5330e366de8c953e6f9ae0d2fa3e47ce15982552e70fcc4827442eeca8dc32b803b4f34ec7b8caf8833ab5e358a2571743d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLd23Cq.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kLd23Cq.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mpp15.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mpp15.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
memory/2052-171-0x0000000000840000-0x000000000088B000-memory.dmp

Filesize
300KB

Download
memory/2052-170-0x00000000008D3000-0x0000000000902000-memory.dmp

Filesize
188KB

Download
memory/2052-172-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/2052-173-0x00000000008D3000-0x0000000000902000-memory.dmp

Filesize
188KB

Download
memory/4980-142-0x0000000005E60000-0x0000000006478000-memory.dmp

Filesize
6.1MB

Download
memory/4980-146-0x0000000006B70000-0x0000000007114000-memory.dmp

Filesize
5.6MB

Download
memory/4980-151-0x0000000007220000-0x0000000007296000-memory.dmp

Filesize
472KB

Download
memory/4980-150-0x00000000079F0000-0x0000000007F1C000-memory.dmp

Filesize
5.2MB

Download
memory/4980-149-0x00000000072F0000-0x00000000074B2000-memory.dmp

Filesize
1.8MB

Download
memory/4980-148-0x00000000066C0000-0x0000000006726000-memory.dmp

Filesize
408KB

Download
memory/4980-147-0x0000000003080000-0x0000000003112000-memory.dmp

Filesize
584KB

Download
memory/4980-152-0x00000000072A0000-0x00000000072F0000-memory.dmp

Filesize
320KB

Download
memory/4980-145-0x0000000005980000-0x00000000059BC000-memory.dmp

Filesize
240KB

Download
memory/4980-144-0x0000000005910000-0x0000000005922000-memory.dmp

Filesize
72KB

Download
memory/4980-143-0x00000000059E0000-0x0000000005AEA000-memory.dmp

Filesize
1.0MB

Download
memory/4980-141-0x0000000000F40000-0x0000000000F72000-memory.dmp

Filesize
200KB

Download