amadey | 540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2023 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe
Size

723KB
MD5

f913edfa0e68b2b3e96c802f8e40ec75
SHA1

9a09323b9b052a03df6ba3e9e24cf4980c49a4a3
SHA256

540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6
SHA512

bf28ed56903e189ef56214f79bdd6e4af17e37ec9d6da642def08770d57dd5807f9866c9ec21c829ab9832e0d117013fed031cbfeacd32554e7833df5ab2dc28
SSDEEP

12288:MMrky90PxT/yPFtuy708QpTbS88jSDIP5Bgsw7/dpBixxZz7no:AyYN/yHu20FTW88jSDIBOPFbk/jo

Score

10^/10

amadey redline fusa discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

fusa

193.233.20.12:4132

Attributes

auth_value
a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

amadey

Version

3.66

62.204.41.5/Bu58Ngs/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mom02.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Executes dropped EXE 6 IoCs

pid	Process
3560	skz30vd.exe
1712	sDD39XR.exe
4780	kZE26Hs.exe
3896	mom02.exe
4316	mnolyk.exe
2536	nwx68he.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	skz30vd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	skz30vd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sDD39XR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sDD39XR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4780	kZE26Hs.exe
4780	kZE26Hs.exe
2536	nwx68he.exe
2536	nwx68he.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	kZE26Hs.exe
Token: SeDebugPrivilege	2536	nwx68he.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3560	3944	540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe	80
PID 3944 wrote to memory of 3560	3944	540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe	80
PID 3944 wrote to memory of 3560	3944	540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe	80
PID 3560 wrote to memory of 1712	3560	skz30vd.exe	81
PID 3560 wrote to memory of 1712	3560	skz30vd.exe	81
PID 3560 wrote to memory of 1712	3560	skz30vd.exe	81
PID 1712 wrote to memory of 4780	1712	sDD39XR.exe	82
PID 1712 wrote to memory of 4780	1712	sDD39XR.exe	82
PID 1712 wrote to memory of 4780	1712	sDD39XR.exe	82
PID 1712 wrote to memory of 3896	1712	sDD39XR.exe	84
PID 1712 wrote to memory of 3896	1712	sDD39XR.exe	84
PID 1712 wrote to memory of 3896	1712	sDD39XR.exe	84
PID 3896 wrote to memory of 4316	3896	mom02.exe	85
PID 3896 wrote to memory of 4316	3896	mom02.exe	85
PID 3896 wrote to memory of 4316	3896	mom02.exe	85
PID 3560 wrote to memory of 2536	3560	skz30vd.exe	86
PID 3560 wrote to memory of 2536	3560	skz30vd.exe	86
PID 3560 wrote to memory of 2536	3560	skz30vd.exe	86
PID 4316 wrote to memory of 2780	4316	mnolyk.exe	87
PID 4316 wrote to memory of 2780	4316	mnolyk.exe	87
PID 4316 wrote to memory of 2780	4316	mnolyk.exe	87
PID 4316 wrote to memory of 400	4316	mnolyk.exe	89
PID 4316 wrote to memory of 400	4316	mnolyk.exe	89
PID 4316 wrote to memory of 400	4316	mnolyk.exe	89
PID 400 wrote to memory of 2948	400	cmd.exe	91
PID 400 wrote to memory of 2948	400	cmd.exe	91
PID 400 wrote to memory of 2948	400	cmd.exe	91
PID 400 wrote to memory of 2280	400	cmd.exe	92
PID 400 wrote to memory of 2280	400	cmd.exe	92
PID 400 wrote to memory of 2280	400	cmd.exe	92
PID 400 wrote to memory of 2276	400	cmd.exe	93
PID 400 wrote to memory of 2276	400	cmd.exe	93
PID 400 wrote to memory of 2276	400	cmd.exe	93
PID 400 wrote to memory of 4092	400	cmd.exe	94
PID 400 wrote to memory of 4092	400	cmd.exe	94
PID 400 wrote to memory of 4092	400	cmd.exe	94
PID 400 wrote to memory of 4296	400	cmd.exe	95
PID 400 wrote to memory of 4296	400	cmd.exe	95
PID 400 wrote to memory of 4296	400	cmd.exe	95
PID 400 wrote to memory of 2388	400	cmd.exe	96
PID 400 wrote to memory of 2388	400	cmd.exe	96
PID 400 wrote to memory of 2388	400	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe
"C:\Users\Admin\AppData\Local\Temp\540b1f006ec0515d56aa1fca40c21808d4cf9ede79dd2159ec131644139370d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skz30vd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skz30vd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sDD39XR.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sDD39XR.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZE26Hs.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZE26Hs.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mom02.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mom02.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2780
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        7⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5eb6b96734" /P "Admin:N"
        7⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5eb6b96734" /P "Admin:R" /E
        7⤵
        
        PID:2388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nwx68he.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nwx68he.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2536 -ip 2536
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skz30vd.exe

Filesize
619KB

MD5
12b18d4db5b3bde331b7d02953bd2987

SHA1
4e98bb913fb2483865bf885b0cc46d0e608fca00

SHA256
43132141228c8f95b756d810d4ad84949683fb42b15838e193525141b1eb5888

SHA512
e12fef318343f1fd9d90d78f9586959c4a32ee67fc3d863914b345a1a694c4f444680cf49707a85c142ae948c25c8a124f2ca9a74a66e0f5f3c1fff1eed18957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skz30vd.exe

Filesize
619KB

MD5
12b18d4db5b3bde331b7d02953bd2987

SHA1
4e98bb913fb2483865bf885b0cc46d0e608fca00

SHA256
43132141228c8f95b756d810d4ad84949683fb42b15838e193525141b1eb5888

SHA512
e12fef318343f1fd9d90d78f9586959c4a32ee67fc3d863914b345a1a694c4f444680cf49707a85c142ae948c25c8a124f2ca9a74a66e0f5f3c1fff1eed18957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nwx68he.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nwx68he.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sDD39XR.exe

Filesize
286KB

MD5
4a96aa062b1fef0fce9af50ae2f2ae03

SHA1
fd5c3d74a0650bd05ebb534ebbbf137a2366177a

SHA256
53e460875d034a2c752d100248cc3db56fe1258bba23cb2911cba612be536017

SHA512
98e6fc4ac553decc402d8ca475cb53bfcd1edb58086feba4e5cde34795ca7f146db974ef2261f8235cc62215cdea8fd425a8794ecb88ed5a1c32d93405391af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sDD39XR.exe

Filesize
286KB

MD5
4a96aa062b1fef0fce9af50ae2f2ae03

SHA1
fd5c3d74a0650bd05ebb534ebbbf137a2366177a

SHA256
53e460875d034a2c752d100248cc3db56fe1258bba23cb2911cba612be536017

SHA512
98e6fc4ac553decc402d8ca475cb53bfcd1edb58086feba4e5cde34795ca7f146db974ef2261f8235cc62215cdea8fd425a8794ecb88ed5a1c32d93405391af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZE26Hs.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZE26Hs.exe

Filesize
175KB

MD5
da6f3bef8abc85bd09f50783059964e3

SHA1
a0f25f60ec1896c4c920ea397f40e6ce29724322

SHA256
e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

SHA512
4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mom02.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mom02.exe

Filesize
236KB

MD5
fde8915d251fada3a37530421eb29dcf

SHA1
44386a8947ddfab993409945dae05a772a13e047

SHA256
6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

SHA512
ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

Download Submit
memory/2536-170-0x00000000008E3000-0x0000000000911000-memory.dmp

Filesize
184KB

Download
memory/2536-171-0x0000000000A00000-0x0000000000A4B000-memory.dmp

Filesize
300KB

Download
memory/2536-172-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/2536-173-0x00000000008E3000-0x0000000000911000-memory.dmp

Filesize
184KB

Download
memory/4780-142-0x00000000058E0000-0x0000000005EF8000-memory.dmp

Filesize
6.1MB

Download
memory/4780-152-0x00000000065C0000-0x0000000006610000-memory.dmp

Filesize
320KB

Download
memory/4780-151-0x0000000006640000-0x00000000066B6000-memory.dmp

Filesize
472KB

Download
memory/4780-150-0x00000000075A0000-0x0000000007ACC000-memory.dmp

Filesize
5.2MB

Download
memory/4780-149-0x0000000006EA0000-0x0000000007062000-memory.dmp

Filesize
1.8MB

Download
memory/4780-148-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/4780-147-0x00000000068F0000-0x0000000006E94000-memory.dmp

Filesize
5.6MB

Download
memory/4780-146-0x0000000002B60000-0x0000000002BC6000-memory.dmp

Filesize
408KB

Download
memory/4780-145-0x0000000005390000-0x00000000053CC000-memory.dmp

Filesize
240KB

Download
memory/4780-144-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/4780-143-0x00000000053F0000-0x00000000054FA000-memory.dmp

Filesize
1.0MB

Download
memory/4780-141-0x0000000000950000-0x0000000000982000-memory.dmp

Filesize
200KB

Download