amadey | 0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

Analysis

max time kernel
143s
max time network
129s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-05-2023 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

301KB
MD5

5599f89944adc8ccad21b5ab94d33381
SHA1

8df8ce98cdf2a8cef21e26b03841818c9d522ded
SHA256

0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
SHA512

a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171
SSDEEP

6144:BWHRhTLdCwcaYsbhO83elSyRG/1dZENASIbNjVveSvdNGf3m:BYBCwssbhOnSy3iBbNpvdk/

Score

10^/10

amadey redline persom infostealer spyware trojan

Malware Config

Extracted

Family

amadey

Version

3.69

88.218.60.230/Gb2dZz/index.php

Extracted

Family

redline

Botnet

PERSOM

176.124.219.192:14487

Attributes

auth_value
0695a610af712a57529526101d7e83b2

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1832	oneetx.exe
1632	exodus.exe
1700	oneetx.exe
828	oneetx.exe

Loads dropped DLL 3 IoCs

pid	Process
1108	file.exe
1108	file.exe
1832	oneetx.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1568	1632	exodus.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
560	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	oneetx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	oneetx.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	AppLaunch.exe
1568	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1108	file.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1832	1108	file.exe	27
PID 1108 wrote to memory of 1832	1108	file.exe	27
PID 1108 wrote to memory of 1832	1108	file.exe	27
PID 1108 wrote to memory of 1832	1108	file.exe	27
PID 1832 wrote to memory of 560	1832	oneetx.exe	28
PID 1832 wrote to memory of 560	1832	oneetx.exe	28
PID 1832 wrote to memory of 560	1832	oneetx.exe	28
PID 1832 wrote to memory of 560	1832	oneetx.exe	28
PID 1832 wrote to memory of 1700	1832	oneetx.exe	30
PID 1832 wrote to memory of 1700	1832	oneetx.exe	30
PID 1832 wrote to memory of 1700	1832	oneetx.exe	30
PID 1832 wrote to memory of 1700	1832	oneetx.exe	30
PID 1700 wrote to memory of 748	1700	cmd.exe	32
PID 1700 wrote to memory of 748	1700	cmd.exe	32
PID 1700 wrote to memory of 748	1700	cmd.exe	32
PID 1700 wrote to memory of 748	1700	cmd.exe	32
PID 1700 wrote to memory of 1696	1700	cmd.exe	33
PID 1700 wrote to memory of 1696	1700	cmd.exe	33
PID 1700 wrote to memory of 1696	1700	cmd.exe	33
PID 1700 wrote to memory of 1696	1700	cmd.exe	33
PID 1700 wrote to memory of 532	1700	cmd.exe	34
PID 1700 wrote to memory of 532	1700	cmd.exe	34
PID 1700 wrote to memory of 532	1700	cmd.exe	34
PID 1700 wrote to memory of 532	1700	cmd.exe	34
PID 1700 wrote to memory of 1292	1700	cmd.exe	35
PID 1700 wrote to memory of 1292	1700	cmd.exe	35
PID 1700 wrote to memory of 1292	1700	cmd.exe	35
PID 1700 wrote to memory of 1292	1700	cmd.exe	35
PID 1700 wrote to memory of 2000	1700	cmd.exe	36
PID 1700 wrote to memory of 2000	1700	cmd.exe	36
PID 1700 wrote to memory of 2000	1700	cmd.exe	36
PID 1700 wrote to memory of 2000	1700	cmd.exe	36
PID 1700 wrote to memory of 1532	1700	cmd.exe	37
PID 1700 wrote to memory of 1532	1700	cmd.exe	37
PID 1700 wrote to memory of 1532	1700	cmd.exe	37
PID 1700 wrote to memory of 1532	1700	cmd.exe	37
PID 1832 wrote to memory of 1632	1832	oneetx.exe	40
PID 1832 wrote to memory of 1632	1832	oneetx.exe	40
PID 1832 wrote to memory of 1632	1832	oneetx.exe	40
PID 1832 wrote to memory of 1632	1832	oneetx.exe	40
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1632 wrote to memory of 1568	1632	exodus.exe	42
PID 1180 wrote to memory of 1700	1180	taskeng.exe	45
PID 1180 wrote to memory of 1700	1180	taskeng.exe	45
PID 1180 wrote to memory of 1700	1180	taskeng.exe	45
PID 1180 wrote to memory of 1700	1180	taskeng.exe	45
PID 1180 wrote to memory of 828	1180	taskeng.exe	46
PID 1180 wrote to memory of 828	1180	taskeng.exe	46
PID 1180 wrote to memory of 828	1180	taskeng.exe	46
PID 1180 wrote to memory of 828	1180	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\d96cb54b4a" /P "Admin:N"&&CACLS "..\d96cb54b4a" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\d96cb54b4a" /P "Admin:N"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\d96cb54b4a" /P "Admin:R" /E
      4⤵
      PID:1532
- - C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe
    "C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568

C:\Windows\system32\taskeng.exe
taskeng.exe {0784DD32-967D-4C92-8983-760BB0BE6798} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe

Filesize
320KB

MD5
b9352f9dcaba6a6ebeed5c756dfe5e74

SHA1
cf0fd4f388aac8302606d59f83cd576cdfe94e92

SHA256
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27

SHA512
e595bbd5e37579d561565879de6ac4aadf43c155c770d4506419e575d74d202ccde61bee216b5ffc1996cd4e49e5fd819e21c536de19b79fbaecf44a8c9807ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe

Filesize
320KB

MD5
b9352f9dcaba6a6ebeed5c756dfe5e74

SHA1
cf0fd4f388aac8302606d59f83cd576cdfe94e92

SHA256
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27

SHA512
e595bbd5e37579d561565879de6ac4aadf43c155c770d4506419e575d74d202ccde61bee216b5ffc1996cd4e49e5fd819e21c536de19b79fbaecf44a8c9807ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
\Users\Admin\AppData\Local\Temp\1000029001\exodus.exe

Filesize
320KB

MD5
b9352f9dcaba6a6ebeed5c756dfe5e74

SHA1
cf0fd4f388aac8302606d59f83cd576cdfe94e92

SHA256
e25c3f7621547050d8b33edb42b6efb31f3eecbfdf5ff347ca2396a67fb41b27

SHA512
e595bbd5e37579d561565879de6ac4aadf43c155c770d4506419e575d74d202ccde61bee216b5ffc1996cd4e49e5fd819e21c536de19b79fbaecf44a8c9807ff

Download Submit
\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe

Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
memory/828-129-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1108-68-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1108-66-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1568-105-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1568-109-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1568-111-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1568-112-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1568-113-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1568-104-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1700-120-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1832-114-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1832-70-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download