amadey | b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1

Analysis

max time kernel
177s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe
Size

489KB
MD5

53b89290164ad961ce0355992c2f3d51
SHA1

0172b20cd0786579ad6b34e857deb757fafafe80
SHA256

b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1
SHA512

1326b612177e95713133172916ece2ee69be5627ba86ec637972de725ba1c9c2ced99d4f7bbda0fc9398dcb71a17e2ec58d595f03253c9463c11064d96ef5255
SSDEEP

12288:qMrgy909bvFr78FuN5c1u31wTbCacWPgelQxb1l5sZAUvk:myqhPTX+TOeYRl5kc

Score

10^/10

amadey redline lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

217.196.96.101:4132

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o0284482.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o0284482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o0284482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o0284482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o0284482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o0284482.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o0284482.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s0318964.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	s0318964.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 5 IoCs

Processes:

z7299060.exeo0284482.exer3945691.exes0318964.exeoneetx.exe

pid process

4372 z7299060.exe
740 o0284482.exe
4012 r3945691.exe
820 s0318964.exe
4420 oneetx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4372	z7299060.exe
740	o0284482.exe
4012	r3945691.exe
820	s0318964.exe
4420	oneetx.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o0284482.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o0284482.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o0284482.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z7299060.exeb783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7299060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7299060.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2716 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o0284482.exer3945691.exe

pid process

740 o0284482.exe
740 o0284482.exe
4012 r3945691.exe
4012 r3945691.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

o0284482.exer3945691.exe

description pid process

Token: SeDebugPrivilege 740 o0284482.exe
Token: SeDebugPrivilege 4012 r3945691.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s0318964.exe

pid process

820 s0318964.exe

pid	process
2716	schtasks.exe

pid	process
740	o0284482.exe
740	o0284482.exe
4012	r3945691.exe
4012	r3945691.exe

description	pid	process
Token: SeDebugPrivilege	740	o0284482.exe
Token: SeDebugPrivilege	4012	r3945691.exe

pid	process
820	s0318964.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exez7299060.exes0318964.exeoneetx.exe

description	pid	process	target process
PID 1456 wrote to memory of 4372	1456	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe	z7299060.exe
PID 1456 wrote to memory of 4372	1456	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe	z7299060.exe
PID 1456 wrote to memory of 4372	1456	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe	z7299060.exe
PID 4372 wrote to memory of 740	4372	z7299060.exe	o0284482.exe
PID 4372 wrote to memory of 740	4372	z7299060.exe	o0284482.exe
PID 4372 wrote to memory of 740	4372	z7299060.exe	o0284482.exe
PID 4372 wrote to memory of 4012	4372	z7299060.exe	r3945691.exe
PID 4372 wrote to memory of 4012	4372	z7299060.exe	r3945691.exe
PID 4372 wrote to memory of 4012	4372	z7299060.exe	r3945691.exe
PID 1456 wrote to memory of 820	1456	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe	s0318964.exe
PID 1456 wrote to memory of 820	1456	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe	s0318964.exe
PID 1456 wrote to memory of 820	1456	b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe	s0318964.exe
PID 820 wrote to memory of 4420	820	s0318964.exe	oneetx.exe
PID 820 wrote to memory of 4420	820	s0318964.exe	oneetx.exe
PID 820 wrote to memory of 4420	820	s0318964.exe	oneetx.exe
PID 4420 wrote to memory of 2716	4420	oneetx.exe	schtasks.exe
PID 4420 wrote to memory of 2716	4420	oneetx.exe	schtasks.exe
PID 4420 wrote to memory of 2716	4420	oneetx.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe
"C:\Users\Admin\AppData\Local\Temp\b783c47e3a116b5fd7a3f2a33067b547165a56b6dd18d2d51c0f9a97d7f929f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299060.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299060.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0284482.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0284482.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3945691.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3945691.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0318964.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0318964.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
231KB

MD5
0f95718c5f137ab54432897893409803

SHA1
bf59e36c5ebf730a4186f8c460adf0e4faaaf6c9

SHA256
530c7665106c9a3951c12ca5fec2b78c51a9266cd4bd4962bf90c4a38c269b00

SHA512
51989d9deffa98f581a9eb32b22cd94041ad73a3f8be48e090c06a0daff1216cf7d535efb6acb1544443b34230a6816e831cfe680db645dd290b6b1dd27b2f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
231KB

MD5
0f95718c5f137ab54432897893409803

SHA1
bf59e36c5ebf730a4186f8c460adf0e4faaaf6c9

SHA256
530c7665106c9a3951c12ca5fec2b78c51a9266cd4bd4962bf90c4a38c269b00

SHA512
51989d9deffa98f581a9eb32b22cd94041ad73a3f8be48e090c06a0daff1216cf7d535efb6acb1544443b34230a6816e831cfe680db645dd290b6b1dd27b2f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
231KB

MD5
0f95718c5f137ab54432897893409803

SHA1
bf59e36c5ebf730a4186f8c460adf0e4faaaf6c9

SHA256
530c7665106c9a3951c12ca5fec2b78c51a9266cd4bd4962bf90c4a38c269b00

SHA512
51989d9deffa98f581a9eb32b22cd94041ad73a3f8be48e090c06a0daff1216cf7d535efb6acb1544443b34230a6816e831cfe680db645dd290b6b1dd27b2f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0318964.exe
Filesize
231KB

MD5
0f95718c5f137ab54432897893409803

SHA1
bf59e36c5ebf730a4186f8c460adf0e4faaaf6c9

SHA256
530c7665106c9a3951c12ca5fec2b78c51a9266cd4bd4962bf90c4a38c269b00

SHA512
51989d9deffa98f581a9eb32b22cd94041ad73a3f8be48e090c06a0daff1216cf7d535efb6acb1544443b34230a6816e831cfe680db645dd290b6b1dd27b2f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0318964.exe
Filesize
231KB

MD5
0f95718c5f137ab54432897893409803

SHA1
bf59e36c5ebf730a4186f8c460adf0e4faaaf6c9

SHA256
530c7665106c9a3951c12ca5fec2b78c51a9266cd4bd4962bf90c4a38c269b00

SHA512
51989d9deffa98f581a9eb32b22cd94041ad73a3f8be48e090c06a0daff1216cf7d535efb6acb1544443b34230a6816e831cfe680db645dd290b6b1dd27b2f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299060.exe
Filesize
307KB

MD5
d9c8cff741e3be2ff7bd49253da61a7f

SHA1
990e45017d5ed174cf1298ea8c7de60413c7e8a6

SHA256
34845e6f702ecf2952f9b74a922c2e01144ba6df725632e0ba098565b657cf34

SHA512
a812736a6c9325571e3c049bf007e550c0d777b565b5b5f33326b3e8347af1a70a45745f29d561cbe58fee13dbadc35a1aa61ffdb562c9098c20a59ee557bd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299060.exe
Filesize
307KB

MD5
d9c8cff741e3be2ff7bd49253da61a7f

SHA1
990e45017d5ed174cf1298ea8c7de60413c7e8a6

SHA256
34845e6f702ecf2952f9b74a922c2e01144ba6df725632e0ba098565b657cf34

SHA512
a812736a6c9325571e3c049bf007e550c0d777b565b5b5f33326b3e8347af1a70a45745f29d561cbe58fee13dbadc35a1aa61ffdb562c9098c20a59ee557bd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0284482.exe
Filesize
177KB

MD5
21e64f8d9cd0f64fa3392230f09d8cf1

SHA1
0b837d9cde278d9852b9d8d350d3ff933aa78230

SHA256
1f216426a69fbe4a10dd2fdb78f26df0e986b85f3a6d54306d3eade64aab2291

SHA512
5c04fdc3fa6dbb121419790a5c7c6484e0ed3711123aae61703e748ee1374951e8018152927b9dc43c17bfbf54d9e7eeeb2ec270a40295cf6e20a16bb56cb54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0284482.exe
Filesize
177KB

MD5
21e64f8d9cd0f64fa3392230f09d8cf1

SHA1
0b837d9cde278d9852b9d8d350d3ff933aa78230

SHA256
1f216426a69fbe4a10dd2fdb78f26df0e986b85f3a6d54306d3eade64aab2291

SHA512
5c04fdc3fa6dbb121419790a5c7c6484e0ed3711123aae61703e748ee1374951e8018152927b9dc43c17bfbf54d9e7eeeb2ec270a40295cf6e20a16bb56cb54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3945691.exe
Filesize
168KB

MD5
07cc0d25f7a85e0993cfc829fe792f0a

SHA1
5f954262b2eb1fa3fc1e24bb45d67901bad91600

SHA256
40731becd7798c14f856f66ad1cd36cbdd0d057c362834bcc3268dcbc84c2a51

SHA512
7d213147c5eb62f0395d8f26b44086de3c3a69be338d6a7e4a432eb1a3fc2c21a6446c041d5340f254f38b1eba1264c0697099552d3c4f4aab7118fb9ad629e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3945691.exe
Filesize
168KB

MD5
07cc0d25f7a85e0993cfc829fe792f0a

SHA1
5f954262b2eb1fa3fc1e24bb45d67901bad91600

SHA256
40731becd7798c14f856f66ad1cd36cbdd0d057c362834bcc3268dcbc84c2a51

SHA512
7d213147c5eb62f0395d8f26b44086de3c3a69be338d6a7e4a432eb1a3fc2c21a6446c041d5340f254f38b1eba1264c0697099552d3c4f4aab7118fb9ad629e9

Download Submit
memory/740-178-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-156-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-160-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-162-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-164-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-166-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-168-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-170-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-172-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-174-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-176-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-151-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-179-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/740-180-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/740-154-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-152-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-147-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/740-158-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/740-148-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/740-149-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/740-150-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4012-186-0x000000000AF70000-0x000000000B588000-memory.dmp

Filesize
6.1MB

Download
memory/4012-191-0x00000000054D0000-0x000000000550C000-memory.dmp

Filesize
240KB

Download
memory/4012-192-0x000000000AE60000-0x000000000AED6000-memory.dmp

Filesize
472KB

Download
memory/4012-193-0x000000000B630000-0x000000000B6C2000-memory.dmp

Filesize
584KB

Download
memory/4012-194-0x000000000B7D0000-0x000000000B836000-memory.dmp

Filesize
408KB

Download
memory/4012-195-0x0000000002B00000-0x0000000002B50000-memory.dmp

Filesize
320KB

Download
memory/4012-196-0x000000000BA40000-0x000000000BC02000-memory.dmp

Filesize
1.8MB

Download
memory/4012-197-0x000000000C760000-0x000000000CC8C000-memory.dmp

Filesize
5.2MB

Download
memory/4012-190-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4012-188-0x000000000A9B0000-0x000000000A9C2000-memory.dmp

Filesize
72KB

Download
memory/4012-189-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4012-187-0x000000000AA80000-0x000000000AB8A000-memory.dmp

Filesize
1.0MB

Download
memory/4012-185-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download