amadey | e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a

General

Target

e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe
Size

490KB
MD5

05b49a0f74c155772de3b78bf805b75d
SHA1

19b3aa205a4a6eb3156ccafdbb78fcce2a065d2a
SHA256

e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a
SHA512

2cbdd5a9e9505c0bec020070d21c42e0ef934e08b4e7115d53a2fdf6db549cfd8de133bd3a6bb836b83b107f47a7ddb33f99bc50c68609daeb467fc00ac00219
SSDEEP

12288:2MrMy90ee6oMkl/oMJZL0dzVH3gnepaLqf2XQwQsb:WyTeX/NyxieOqeAG

Score

10^/10

amadey redline lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

217.196.96.101:4132

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o2766108.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o2766108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o2766108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o2766108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o2766108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o2766108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o2766108.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

z2524210.exeo2766108.exer7364936.exes3301434.exe

pid process

1992 z2524210.exe
1412 o2766108.exe
4384 r7364936.exe
3368 s3301434.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1992	z2524210.exe
1412	o2766108.exe
4384	r7364936.exe
3368	s3301434.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o2766108.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o2766108.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o2766108.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z2524210.exee59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2524210.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2524210.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o2766108.exer7364936.exe

pid process

1412 o2766108.exe
1412 o2766108.exe
4384 r7364936.exe
4384 r7364936.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

o2766108.exer7364936.exe

description pid process

Token: SeDebugPrivilege 1412 o2766108.exe
Token: SeDebugPrivilege 4384 r7364936.exe

pid	process
1412	o2766108.exe
1412	o2766108.exe
4384	r7364936.exe
4384	r7364936.exe

description	pid	process
Token: SeDebugPrivilege	1412	o2766108.exe
Token: SeDebugPrivilege	4384	r7364936.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exez2524210.exe

description	pid	process	target process
PID 4748 wrote to memory of 1992	4748	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe	z2524210.exe
PID 4748 wrote to memory of 1992	4748	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe	z2524210.exe
PID 4748 wrote to memory of 1992	4748	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe	z2524210.exe
PID 1992 wrote to memory of 1412	1992	z2524210.exe	o2766108.exe
PID 1992 wrote to memory of 1412	1992	z2524210.exe	o2766108.exe
PID 1992 wrote to memory of 1412	1992	z2524210.exe	o2766108.exe
PID 1992 wrote to memory of 4384	1992	z2524210.exe	r7364936.exe
PID 1992 wrote to memory of 4384	1992	z2524210.exe	r7364936.exe
PID 1992 wrote to memory of 4384	1992	z2524210.exe	r7364936.exe
PID 4748 wrote to memory of 3368	4748	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe	s3301434.exe
PID 4748 wrote to memory of 3368	4748	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe	s3301434.exe
PID 4748 wrote to memory of 3368	4748	e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe	s3301434.exe

C:\Users\Admin\AppData\Local\Temp\e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe
"C:\Users\Admin\AppData\Local\Temp\e59600bb3740fc08a67b8a3f05353f32c78e557c3759b26b5b552f186e96e61a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2524210.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2524210.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2766108.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2766108.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7364936.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7364936.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3301434.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3301434.exe
2⤵
- Executes dropped EXE
PID:3368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3301434.exe
Filesize
231KB

MD5
98ab0968255dec0152d71bf440009a13

SHA1
0b6ea47c69a4f75739e1dc64d7532ae39fa9db40

SHA256
662ff1ad5d4549127ccd07c24446cf6738fa0943b710525d2fdc0f7afbc2b24a

SHA512
bf64b59c01d95a18176f1c36dfbaf112de0185ea1d749e1ae9832ce161bd8d5c6456017da0c5cb5a0ea43586bcafa3f94e6bd68c0b5fff69de4f0056f75b2979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s3301434.exe
Filesize
231KB

MD5
98ab0968255dec0152d71bf440009a13

SHA1
0b6ea47c69a4f75739e1dc64d7532ae39fa9db40

SHA256
662ff1ad5d4549127ccd07c24446cf6738fa0943b710525d2fdc0f7afbc2b24a

SHA512
bf64b59c01d95a18176f1c36dfbaf112de0185ea1d749e1ae9832ce161bd8d5c6456017da0c5cb5a0ea43586bcafa3f94e6bd68c0b5fff69de4f0056f75b2979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2524210.exe
Filesize
307KB

MD5
6fd78c6bd6d724a8938911d325d1020d

SHA1
a041be857239a3bd95fb8febd2bbf03274e14901

SHA256
2c9facb57ae81b102cd96ea99113de707cf13a14c9d2ec5f294063a6988febba

SHA512
604d8903508b164dd33b8164b717650c2f064e79a68ac23a1d071883fcadad6cdf8fb32b49de1225369be1af621b6cc1cab60701c3018ef7787cf2603e735bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2524210.exe
Filesize
307KB

MD5
6fd78c6bd6d724a8938911d325d1020d

SHA1
a041be857239a3bd95fb8febd2bbf03274e14901

SHA256
2c9facb57ae81b102cd96ea99113de707cf13a14c9d2ec5f294063a6988febba

SHA512
604d8903508b164dd33b8164b717650c2f064e79a68ac23a1d071883fcadad6cdf8fb32b49de1225369be1af621b6cc1cab60701c3018ef7787cf2603e735bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2766108.exe
Filesize
177KB

MD5
2005e8c5d17045e867b3db4a7f46eefd

SHA1
3cffa27424b75ebd4cb6ab3b0c27709ba16ad743

SHA256
5335895f74ba4a01c6347cbaa5161d88a4fe216952d63e8e5451f1bf194c0601

SHA512
8a38cbf83180fec3b7b6048e5e051fdf5fc9a9462228399215fbf17a06b9ceac25a90e28a2bcce1354b8ef3650f387ebf361e4039622d04788d59843c54d95f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2766108.exe
Filesize
177KB

MD5
2005e8c5d17045e867b3db4a7f46eefd

SHA1
3cffa27424b75ebd4cb6ab3b0c27709ba16ad743

SHA256
5335895f74ba4a01c6347cbaa5161d88a4fe216952d63e8e5451f1bf194c0601

SHA512
8a38cbf83180fec3b7b6048e5e051fdf5fc9a9462228399215fbf17a06b9ceac25a90e28a2bcce1354b8ef3650f387ebf361e4039622d04788d59843c54d95f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7364936.exe
Filesize
168KB

MD5
92bd4f998e91a9073f708e32153effbf

SHA1
25e0629fdb14304f32cbe71b45e4a6a2fb0c6905

SHA256
68105ae8020a7e435b4e8c180bed6742a4c8554f575866cba40319b52738af69

SHA512
b4041a55219114391a5f5505a598c5f1d04bf58cfa19b2a9570f397ee0e80ea997b900a421dc8eb451152e2052f63c7f9c09d062a8622c7ad48fe22021406ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7364936.exe
Filesize
168KB

MD5
92bd4f998e91a9073f708e32153effbf

SHA1
25e0629fdb14304f32cbe71b45e4a6a2fb0c6905

SHA256
68105ae8020a7e435b4e8c180bed6742a4c8554f575866cba40319b52738af69

SHA512
b4041a55219114391a5f5505a598c5f1d04bf58cfa19b2a9570f397ee0e80ea997b900a421dc8eb451152e2052f63c7f9c09d062a8622c7ad48fe22021406ae8

Download Submit
memory/1412-172-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-181-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1412-154-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-156-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-158-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-160-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-162-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-164-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-166-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-168-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-170-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-174-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-152-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-176-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-178-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-179-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1412-180-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1412-151-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/1412-150-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1412-149-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/1412-147-0x00000000049E0000-0x0000000004F84000-memory.dmp

Filesize
5.6MB

Download
memory/1412-148-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/4384-194-0x000000000B390000-0x000000000B422000-memory.dmp

Filesize
584KB

Download
memory/4384-189-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/4384-190-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4384-191-0x000000000A840000-0x000000000A87C000-memory.dmp

Filesize
240KB

Download
memory/4384-192-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4384-193-0x000000000AC50000-0x000000000ACC6000-memory.dmp

Filesize
472KB

Download
memory/4384-188-0x000000000A8B0000-0x000000000A9BA000-memory.dmp

Filesize
1.0MB

Download
memory/4384-195-0x000000000B430000-0x000000000B496000-memory.dmp

Filesize
408KB

Download
memory/4384-196-0x000000000A6B0000-0x000000000A700000-memory.dmp

Filesize
320KB

Download
memory/4384-197-0x000000000BF90000-0x000000000C152000-memory.dmp

Filesize
1.8MB

Download
memory/4384-198-0x000000000C690000-0x000000000CBBC000-memory.dmp

Filesize
5.2MB

Download
memory/4384-187-0x000000000AD70000-0x000000000B388000-memory.dmp

Filesize
6.1MB

Download
memory/4384-186-0x0000000000930000-0x0000000000960000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads