amadey | edd1c80de5371610068c46b3bca4e9034efc6efb52006fc93481a52b5279e4ac

Analysis

max time kernel
292s
max time network
303s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2023, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y9126994.exe
Size

475KB
MD5

567e3a10a2816c08e1072c389f975900
SHA1

a0957ea34eaaf07a37f7cc93d3952be3dd813962
SHA256

edd1c80de5371610068c46b3bca4e9034efc6efb52006fc93481a52b5279e4ac
SHA512

7802f6a65ae0efa8a40a19bc8ee56d09c85a3ab6975c54af0dbc99837aaef31a24712f153131fb47e10aec5fc98a8326565f2688b739b29c5956034c7a9a2b3f
SSDEEP

12288:8Mrky90ziPi0LxuXuuKRmEXYp7gM+JlX:oy4q0XKkEAgPD

Score

10^/10

amadey redline sruta infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4364	y0103610.exe
2160	l4092909.exe
1924	saves.exe
2532	m9159251.exe
2120	n6460209.exe
4372	saves.exe

Loads dropped DLL 1 IoCs

pid	Process
4108	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0103610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	y9126994.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4480	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4364	2128	y9126994.exe	70
PID 2128 wrote to memory of 4364	2128	y9126994.exe	70
PID 2128 wrote to memory of 4364	2128	y9126994.exe	70
PID 4364 wrote to memory of 2160	4364	y0103610.exe	71
PID 4364 wrote to memory of 2160	4364	y0103610.exe	71
PID 4364 wrote to memory of 2160	4364	y0103610.exe	71
PID 2160 wrote to memory of 1924	2160	l4092909.exe	72
PID 2160 wrote to memory of 1924	2160	l4092909.exe	72
PID 2160 wrote to memory of 1924	2160	l4092909.exe	72
PID 4364 wrote to memory of 2532	4364	y0103610.exe	73
PID 4364 wrote to memory of 2532	4364	y0103610.exe	73
PID 4364 wrote to memory of 2532	4364	y0103610.exe	73
PID 1924 wrote to memory of 4480	1924	saves.exe	74
PID 1924 wrote to memory of 4480	1924	saves.exe	74
PID 1924 wrote to memory of 4480	1924	saves.exe	74
PID 1924 wrote to memory of 5092	1924	saves.exe	76
PID 1924 wrote to memory of 5092	1924	saves.exe	76
PID 1924 wrote to memory of 5092	1924	saves.exe	76
PID 5092 wrote to memory of 2520	5092	cmd.exe	78
PID 5092 wrote to memory of 2520	5092	cmd.exe	78
PID 5092 wrote to memory of 2520	5092	cmd.exe	78
PID 2128 wrote to memory of 2120	2128	y9126994.exe	79
PID 2128 wrote to memory of 2120	2128	y9126994.exe	79
PID 2128 wrote to memory of 2120	2128	y9126994.exe	79
PID 5092 wrote to memory of 4312	5092	cmd.exe	80
PID 5092 wrote to memory of 4312	5092	cmd.exe	80
PID 5092 wrote to memory of 4312	5092	cmd.exe	80
PID 5092 wrote to memory of 708	5092	cmd.exe	81
PID 5092 wrote to memory of 708	5092	cmd.exe	81
PID 5092 wrote to memory of 708	5092	cmd.exe	81
PID 5092 wrote to memory of 4816	5092	cmd.exe	82
PID 5092 wrote to memory of 4816	5092	cmd.exe	82
PID 5092 wrote to memory of 4816	5092	cmd.exe	82
PID 5092 wrote to memory of 2952	5092	cmd.exe	83
PID 5092 wrote to memory of 2952	5092	cmd.exe	83
PID 5092 wrote to memory of 2952	5092	cmd.exe	83
PID 5092 wrote to memory of 4324	5092	cmd.exe	84
PID 5092 wrote to memory of 4324	5092	cmd.exe	84
PID 5092 wrote to memory of 4324	5092	cmd.exe	84
PID 1924 wrote to memory of 4108	1924	saves.exe	86
PID 1924 wrote to memory of 4108	1924	saves.exe	86
PID 1924 wrote to memory of 4108	1924	saves.exe	86

C:\Users\Admin\AppData\Local\Temp\y9126994.exe
"C:\Users\Admin\AppData\Local\Temp\y9126994.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103610.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103610.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4092909.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4092909.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
      "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2520
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        6⤵
        
        PID:4312
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        6⤵
        
        PID:708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4816
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        6⤵
        
        PID:2952
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        6⤵
        
        PID:4324
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9159251.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9159251.exe
    3⤵
    - Executes dropped EXE
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6460209.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6460209.exe
  2⤵
  - Executes dropped EXE
  PID:2120

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6460209.exe

Filesize
175KB

MD5
eef7317b2f218aeed3ab5a81d403eb6b

SHA1
d8773ca27f55e6d2ad49443fce6ffa8e28054a90

SHA256
d9255644677d26c3e3a7e4bcdb6733e510e2ce1115101ba36a38caf957934bf0

SHA512
035ac40b2353d1ebae4d8d6c0e064ee131af36261c2f0e2abeb9300571ac58bec4bf69a70ab8798a4c9200d4a177935eae0169d062ace669cde92e4f273fe18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6460209.exe

Filesize
175KB

MD5
eef7317b2f218aeed3ab5a81d403eb6b

SHA1
d8773ca27f55e6d2ad49443fce6ffa8e28054a90

SHA256
d9255644677d26c3e3a7e4bcdb6733e510e2ce1115101ba36a38caf957934bf0

SHA512
035ac40b2353d1ebae4d8d6c0e064ee131af36261c2f0e2abeb9300571ac58bec4bf69a70ab8798a4c9200d4a177935eae0169d062ace669cde92e4f273fe18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103610.exe

Filesize
319KB

MD5
72ba7dbdd55b0eb6bb0db73d9e302bb5

SHA1
aabe67039ba1a41411c0cd1da9cbb4b839b5062f

SHA256
f21ec11de0965adbb191226217f149d7549a3b202746937649fea3f94c317593

SHA512
d088944eda768db79c498b431e608ab9e3213d381cbe3aced0ab7f21c6c7867cb59ebb28c7fb7756e0e41e5c5fa36bb2c75a827024c26062fe8926e6635830fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0103610.exe

Filesize
319KB

MD5
72ba7dbdd55b0eb6bb0db73d9e302bb5

SHA1
aabe67039ba1a41411c0cd1da9cbb4b839b5062f

SHA256
f21ec11de0965adbb191226217f149d7549a3b202746937649fea3f94c317593

SHA512
d088944eda768db79c498b431e608ab9e3213d381cbe3aced0ab7f21c6c7867cb59ebb28c7fb7756e0e41e5c5fa36bb2c75a827024c26062fe8926e6635830fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4092909.exe

Filesize
328KB

MD5
aaad0f9ba5f40b72bae6c1ff268ed316

SHA1
9d59abfc22334399a06519f2f5d1f99be43f3061

SHA256
44d2b6b9203eb3b62137d48dfefa5ba8d350989316fa79815a375877c819a8e7

SHA512
f90fd9b9a06413f2e98333139937e6f6ae8b4418bb7cb466ba717630ebd20bc5075d2775ba8a395442e34de5e68733743b6ef90c271c96de7da0d19e87f9d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4092909.exe

Filesize
328KB

MD5
aaad0f9ba5f40b72bae6c1ff268ed316

SHA1
9d59abfc22334399a06519f2f5d1f99be43f3061

SHA256
44d2b6b9203eb3b62137d48dfefa5ba8d350989316fa79815a375877c819a8e7

SHA512
f90fd9b9a06413f2e98333139937e6f6ae8b4418bb7cb466ba717630ebd20bc5075d2775ba8a395442e34de5e68733743b6ef90c271c96de7da0d19e87f9d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9159251.exe

Filesize
140KB

MD5
91c81f3e70b45ac227d673f0e437351d

SHA1
87a18b1cf1dbab0ea84b51faaecf0d538acfa711

SHA256
0fd37d88744f10c36364e7206b6a7e53cc438386b8aab6c81387848426c7df74

SHA512
d0e7583e970defbecd3ef79ae202e1b1d7b72c80f075ca9df09a6bd2884f0c83634b0b08c798add861ccd4dd768c9b0477797aa55c6cc9f7bdedd004dd068897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9159251.exe

Filesize
140KB

MD5
91c81f3e70b45ac227d673f0e437351d

SHA1
87a18b1cf1dbab0ea84b51faaecf0d538acfa711

SHA256
0fd37d88744f10c36364e7206b6a7e53cc438386b8aab6c81387848426c7df74

SHA512
d0e7583e970defbecd3ef79ae202e1b1d7b72c80f075ca9df09a6bd2884f0c83634b0b08c798add861ccd4dd768c9b0477797aa55c6cc9f7bdedd004dd068897

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
328KB

MD5
aaad0f9ba5f40b72bae6c1ff268ed316

SHA1
9d59abfc22334399a06519f2f5d1f99be43f3061

SHA256
44d2b6b9203eb3b62137d48dfefa5ba8d350989316fa79815a375877c819a8e7

SHA512
f90fd9b9a06413f2e98333139937e6f6ae8b4418bb7cb466ba717630ebd20bc5075d2775ba8a395442e34de5e68733743b6ef90c271c96de7da0d19e87f9d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
328KB

MD5
aaad0f9ba5f40b72bae6c1ff268ed316

SHA1
9d59abfc22334399a06519f2f5d1f99be43f3061

SHA256
44d2b6b9203eb3b62137d48dfefa5ba8d350989316fa79815a375877c819a8e7

SHA512
f90fd9b9a06413f2e98333139937e6f6ae8b4418bb7cb466ba717630ebd20bc5075d2775ba8a395442e34de5e68733743b6ef90c271c96de7da0d19e87f9d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
328KB

MD5
aaad0f9ba5f40b72bae6c1ff268ed316

SHA1
9d59abfc22334399a06519f2f5d1f99be43f3061

SHA256
44d2b6b9203eb3b62137d48dfefa5ba8d350989316fa79815a375877c819a8e7

SHA512
f90fd9b9a06413f2e98333139937e6f6ae8b4418bb7cb466ba717630ebd20bc5075d2775ba8a395442e34de5e68733743b6ef90c271c96de7da0d19e87f9d614

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
328KB

MD5
aaad0f9ba5f40b72bae6c1ff268ed316

SHA1
9d59abfc22334399a06519f2f5d1f99be43f3061

SHA256
44d2b6b9203eb3b62137d48dfefa5ba8d350989316fa79815a375877c819a8e7

SHA512
f90fd9b9a06413f2e98333139937e6f6ae8b4418bb7cb466ba717630ebd20bc5075d2775ba8a395442e34de5e68733743b6ef90c271c96de7da0d19e87f9d614

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
374bfdcfcf19f4edfe949022092848d2

SHA1
df5ee40497e98efcfba30012452d433373d287d4

SHA256
224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f

SHA512
bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
memory/2120-27-0x0000000072090000-0x000000007277E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-32-0x000000000A3C0000-0x000000000A3FE000-memory.dmp

Filesize
248KB

Download
memory/2120-33-0x000000000A400000-0x000000000A44B000-memory.dmp

Filesize
300KB

Download
memory/2120-34-0x0000000072090000-0x000000007277E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-31-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/2120-30-0x000000000A450000-0x000000000A55A000-memory.dmp

Filesize
1.0MB

Download
memory/2120-29-0x000000000A950000-0x000000000AF56000-memory.dmp

Filesize
6.0MB

Download
memory/2120-28-0x0000000002760000-0x0000000002766000-memory.dmp

Filesize
24KB

Download
memory/2120-26-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads