amadey | b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce

Analysis

max time kernel
144s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
04/08/2023, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe
Size

560KB
MD5

a3ac18e6a5ba26bce3ec2315bc8ba351
SHA1

05ac4ab6b3f6f05de88db81ae4f1c75caeed6abf
SHA256

b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce
SHA512

b95db767e3a69ce3e0fd821ee15e3ed1105853c0a9bb85c67d11e028166a74448fd63ad7b23e338d4a566333fc03d9ecbf63b8564ecd58de5f6c1951c4bb8e3f
SSDEEP

12288:AMrSy90xg7n34mHD7kIeIw6Zm0wGMXytXdiNkY8:Cyu2nImD7kFMtpMXyxdikX

Score

10^/10

amadey healer redline maxik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Extracted

Family

redline

Botnet

maxik

77.91.124.156:19071

Attributes

auth_value
a7714e1bc167c67e3fc8f9e368352269

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b039-141.dat	healer
behavioral1/files/0x000700000001b039-142.dat	healer
behavioral1/memory/4932-143-0x0000000000120000-0x000000000012A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p2912870.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p2912870.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p2912870.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p2912870.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p2912870.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2624	z5030522.exe
4248	z6798551.exe
4932	p2912870.exe
2760	r2455564.exe
976	s5611153.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p2912870.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5030522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6798551.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4932	p2912870.exe
4932	p2912870.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	p2912870.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2624	4616	b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe	70
PID 4616 wrote to memory of 2624	4616	b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe	70
PID 4616 wrote to memory of 2624	4616	b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe	70
PID 2624 wrote to memory of 4248	2624	z5030522.exe	71
PID 2624 wrote to memory of 4248	2624	z5030522.exe	71
PID 2624 wrote to memory of 4248	2624	z5030522.exe	71
PID 4248 wrote to memory of 4932	4248	z6798551.exe	72
PID 4248 wrote to memory of 4932	4248	z6798551.exe	72
PID 4248 wrote to memory of 2760	4248	z6798551.exe	73
PID 4248 wrote to memory of 2760	4248	z6798551.exe	73
PID 4248 wrote to memory of 2760	4248	z6798551.exe	73
PID 2624 wrote to memory of 976	2624	z5030522.exe	74
PID 2624 wrote to memory of 976	2624	z5030522.exe	74
PID 2624 wrote to memory of 976	2624	z5030522.exe	74

C:\Users\Admin\AppData\Local\Temp\b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe
"C:\Users\Admin\AppData\Local\Temp\b9727f5af366f84be02f19ea57348f5f7249e8d38dabfac0bb3fd523840c71ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5030522.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5030522.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6798551.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6798551.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2912870.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2912870.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2455564.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2455564.exe
      4⤵
      Executes dropped EXE
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5611153.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5611153.exe
    3⤵
    - Executes dropped EXE
    PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5030522.exe

Filesize
432KB

MD5
8f3d0d6d8714a40147bb304c21aa8bb8

SHA1
006c004021d3f64b1021bd259dfe457cfaf2271a

SHA256
acbbdf18c6cd48f755e98b07e3d0ce1d5b7118a1f00c342cadaf9533c9fa4871

SHA512
2edfedf7fde2546728d64aa71fcdd9e312e357c3d20526b253460b3df4ccbe378fb7cf7ba91aa625e5f83d1c58055a5b2b734424211862ec5cd98c0f811f448f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5030522.exe

Filesize
432KB

MD5
8f3d0d6d8714a40147bb304c21aa8bb8

SHA1
006c004021d3f64b1021bd259dfe457cfaf2271a

SHA256
acbbdf18c6cd48f755e98b07e3d0ce1d5b7118a1f00c342cadaf9533c9fa4871

SHA512
2edfedf7fde2546728d64aa71fcdd9e312e357c3d20526b253460b3df4ccbe378fb7cf7ba91aa625e5f83d1c58055a5b2b734424211862ec5cd98c0f811f448f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5611153.exe

Filesize
177KB

MD5
2823b5a1de67bb6abd0a37235563cd48

SHA1
a2478873bbb86b58cb42e43d0de423c6e38e5501

SHA256
d92bbbf973faacb96eb0ec10b55391c500865c39286bc56360c8554bb968b2d6

SHA512
5f79b953c4c79cd4fdf5de445d4e6d883dd813844ec4a9f317bf64c42e533c43bde406eaf1c00d8ebd41cad31be25f7c66fca943cc64ba8c6aef7027a82130e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5611153.exe

Filesize
177KB

MD5
2823b5a1de67bb6abd0a37235563cd48

SHA1
a2478873bbb86b58cb42e43d0de423c6e38e5501

SHA256
d92bbbf973faacb96eb0ec10b55391c500865c39286bc56360c8554bb968b2d6

SHA512
5f79b953c4c79cd4fdf5de445d4e6d883dd813844ec4a9f317bf64c42e533c43bde406eaf1c00d8ebd41cad31be25f7c66fca943cc64ba8c6aef7027a82130e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6798551.exe

Filesize
277KB

MD5
b42b1af0fa1a8fc0b6080a724f18a7e1

SHA1
9b92e6b5c10a2ae117ab9a7d3f9164417fe77fbd

SHA256
9778ff7939423c3af96be675570b73707d116533c531081a2c60f3fdf9f8915e

SHA512
259d7af8a0f1aedd368547815f0e481d685f181d9caa3ba5346bf368a8c0bcbdf489c419c2a691ded5699e9c4aadd19592fbff454ba638a1324f3a552f068261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6798551.exe

Filesize
277KB

MD5
b42b1af0fa1a8fc0b6080a724f18a7e1

SHA1
9b92e6b5c10a2ae117ab9a7d3f9164417fe77fbd

SHA256
9778ff7939423c3af96be675570b73707d116533c531081a2c60f3fdf9f8915e

SHA512
259d7af8a0f1aedd368547815f0e481d685f181d9caa3ba5346bf368a8c0bcbdf489c419c2a691ded5699e9c4aadd19592fbff454ba638a1324f3a552f068261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2912870.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\p2912870.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2455564.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r2455564.exe

Filesize
313KB

MD5
2c1528a6992ce0ac3a41d0da5cf846ba

SHA1
c315a74e85861b7abd2b9f213982f536a018a63d

SHA256
b269720acebdba99f8294306dfe575089c8e915af45556e49f82a9d7f1460742

SHA512
f6675f6260e335f7e8001808070e446cefa84460ef3b9d6dd6b9dbee5db6276af510944823a9de3ea23f9c879340772625b10e0fcfd6b6d9ba1c288dc0fa1341

Download Submit
memory/976-153-0x0000000000F70000-0x0000000000FA0000-memory.dmp

Filesize
192KB

Download
memory/976-154-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/976-155-0x00000000031A0000-0x00000000031A6000-memory.dmp

Filesize
24KB

Download
memory/976-156-0x0000000005F10000-0x0000000006516000-memory.dmp

Filesize
6.0MB

Download
memory/976-157-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/976-158-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/976-159-0x0000000005900000-0x000000000593E000-memory.dmp

Filesize
248KB

Download
memory/976-160-0x0000000005940000-0x000000000598B000-memory.dmp

Filesize
300KB

Download
memory/976-161-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/4932-146-0x00007FFC50F80000-0x00007FFC5196C000-memory.dmp

Filesize
9.9MB

Download
memory/4932-144-0x00007FFC50F80000-0x00007FFC5196C000-memory.dmp

Filesize
9.9MB

Download
memory/4932-143-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download