amadey | 43f1688ac043cecbcdb543eea97e3fcd71a44f91c232829b1307c3b23d774094

Analysis

max time kernel
291s
max time network
300s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2023, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y0198122.exe
Size

475KB
MD5

845164f542712ff6e6a6c60cfc6139c4
SHA1

316a2eaa8c3da9766b638cf8d08b9ffdafaf87ef
SHA256

43f1688ac043cecbcdb543eea97e3fcd71a44f91c232829b1307c3b23d774094
SHA512

2f201fa468286cb749c543d99822a942d870fa2f7979668c780af656aa3df252ae94d6655221c4ef5df03a8bc499d68782cd1c24f04a0dcdf35c05a7563a0fa5
SSDEEP

12288:4MrAy90/elwluSogIWKA/e7mKAKR8EXYp7xnpxU0Rb:oyRlwluszG7mHKyEAxUOb

Score

10^/10

amadey redline narik infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
544	y0841070.exe
920	l5106289.exe
2144	saves.exe
3988	m7762978.exe
4520	n4005994.exe
4332	saves.exe

Loads dropped DLL 1 IoCs

pid	Process
2732	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0841070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	y0198122.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3500	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 544	4288	y0198122.exe	69
PID 4288 wrote to memory of 544	4288	y0198122.exe	69
PID 4288 wrote to memory of 544	4288	y0198122.exe	69
PID 544 wrote to memory of 920	544	y0841070.exe	70
PID 544 wrote to memory of 920	544	y0841070.exe	70
PID 544 wrote to memory of 920	544	y0841070.exe	70
PID 920 wrote to memory of 2144	920	l5106289.exe	71
PID 920 wrote to memory of 2144	920	l5106289.exe	71
PID 920 wrote to memory of 2144	920	l5106289.exe	71
PID 544 wrote to memory of 3988	544	y0841070.exe	72
PID 544 wrote to memory of 3988	544	y0841070.exe	72
PID 544 wrote to memory of 3988	544	y0841070.exe	72
PID 2144 wrote to memory of 3500	2144	saves.exe	73
PID 2144 wrote to memory of 3500	2144	saves.exe	73
PID 2144 wrote to memory of 3500	2144	saves.exe	73
PID 2144 wrote to memory of 3684	2144	saves.exe	74
PID 2144 wrote to memory of 3684	2144	saves.exe	74
PID 2144 wrote to memory of 3684	2144	saves.exe	74
PID 3684 wrote to memory of 3020	3684	cmd.exe	77
PID 3684 wrote to memory of 3020	3684	cmd.exe	77
PID 3684 wrote to memory of 3020	3684	cmd.exe	77
PID 3684 wrote to memory of 3160	3684	cmd.exe	78
PID 3684 wrote to memory of 3160	3684	cmd.exe	78
PID 3684 wrote to memory of 3160	3684	cmd.exe	78
PID 3684 wrote to memory of 2092	3684	cmd.exe	80
PID 3684 wrote to memory of 2092	3684	cmd.exe	80
PID 3684 wrote to memory of 2092	3684	cmd.exe	80
PID 4288 wrote to memory of 4520	4288	y0198122.exe	79
PID 4288 wrote to memory of 4520	4288	y0198122.exe	79
PID 4288 wrote to memory of 4520	4288	y0198122.exe	79
PID 3684 wrote to memory of 612	3684	cmd.exe	81
PID 3684 wrote to memory of 612	3684	cmd.exe	81
PID 3684 wrote to memory of 612	3684	cmd.exe	81
PID 3684 wrote to memory of 2352	3684	cmd.exe	82
PID 3684 wrote to memory of 2352	3684	cmd.exe	82
PID 3684 wrote to memory of 2352	3684	cmd.exe	82
PID 3684 wrote to memory of 2112	3684	cmd.exe	83
PID 3684 wrote to memory of 2112	3684	cmd.exe	83
PID 3684 wrote to memory of 2112	3684	cmd.exe	83
PID 2144 wrote to memory of 2732	2144	saves.exe	85
PID 2144 wrote to memory of 2732	2144	saves.exe	85
PID 2144 wrote to memory of 2732	2144	saves.exe	85

C:\Users\Admin\AppData\Local\Temp\y0198122.exe
"C:\Users\Admin\AppData\Local\Temp\y0198122.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0841070.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0841070.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5106289.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5106289.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
      "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        6⤵
        
        PID:3160
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        6⤵
        
        PID:2092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:612
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        6⤵
        
        PID:2352
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7762978.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7762978.exe
    3⤵
    - Executes dropped EXE
    PID:3988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4005994.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4005994.exe
  2⤵
  - Executes dropped EXE
  PID:4520

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4005994.exe

Filesize
174KB

MD5
c96e92cf8d826d2b5888e1c481feb2b9

SHA1
a49077162068d72e389135feace10e17b1035002

SHA256
4b002360f574475f9435add0cb4448555732d2381e30152fd8074f0ab66b7e9e

SHA512
b8761b2f56b3b8fa9226bfca47247f4fda4d2f21258ed6d7e2c74f40c482e97e601a57f1b6a7b60c7692308a811c10af2884ad9f98483a30d0126ca75a07fd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n4005994.exe

Filesize
174KB

MD5
c96e92cf8d826d2b5888e1c481feb2b9

SHA1
a49077162068d72e389135feace10e17b1035002

SHA256
4b002360f574475f9435add0cb4448555732d2381e30152fd8074f0ab66b7e9e

SHA512
b8761b2f56b3b8fa9226bfca47247f4fda4d2f21258ed6d7e2c74f40c482e97e601a57f1b6a7b60c7692308a811c10af2884ad9f98483a30d0126ca75a07fd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0841070.exe

Filesize
319KB

MD5
ff97944eff0fb7d4adcb6d46169c2c53

SHA1
f44cefde5b75c914faa3a6bdf3fa0e28f1c63a35

SHA256
24e593127d32e271ed1234c9575a46756fd9567d125a3d7353035155721b5bdd

SHA512
d1a0bfa017262ad1aa4c1c87b52873dd9dc57f606ad1cea9f899ede21a54055f9d7f546fb5200f3b8d78e27109834f615062d31e9ce0ad9c7106a663f30e609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0841070.exe

Filesize
319KB

MD5
ff97944eff0fb7d4adcb6d46169c2c53

SHA1
f44cefde5b75c914faa3a6bdf3fa0e28f1c63a35

SHA256
24e593127d32e271ed1234c9575a46756fd9567d125a3d7353035155721b5bdd

SHA512
d1a0bfa017262ad1aa4c1c87b52873dd9dc57f606ad1cea9f899ede21a54055f9d7f546fb5200f3b8d78e27109834f615062d31e9ce0ad9c7106a663f30e609f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5106289.exe

Filesize
332KB

MD5
a006bde111e76b01a6bb5f080df506bc

SHA1
3cf8a58267405c05debc5d40cbe89f572d5fa144

SHA256
247f57980c312863a7e2f08bd3a00b93e66d627f776802a8edc12acf8914b110

SHA512
938af702b3ff343c2f4efad35486fd461a534460b750a4126d4c6edc74cf34d8c1a1d8e436eab2723837ac66bab391c61e238cc400b2f2909e7b84d2e9f07695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5106289.exe

Filesize
332KB

MD5
a006bde111e76b01a6bb5f080df506bc

SHA1
3cf8a58267405c05debc5d40cbe89f572d5fa144

SHA256
247f57980c312863a7e2f08bd3a00b93e66d627f776802a8edc12acf8914b110

SHA512
938af702b3ff343c2f4efad35486fd461a534460b750a4126d4c6edc74cf34d8c1a1d8e436eab2723837ac66bab391c61e238cc400b2f2909e7b84d2e9f07695

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7762978.exe

Filesize
141KB

MD5
58b01d5640e5cf7e0bf132dc6ac538e7

SHA1
2c05112988fa82a585662f21956bbec096993f4c

SHA256
1caa53722efc8235b6d3195dff29ce90b7985353dad1f9eb2053175848a7034c

SHA512
3491498dc4fd474e32a606375b805e3e7f066aea160dbff3ab489a46e2a6b244c3d37e05481e3be8ca84fd7a0c4607c22ef491c2aad85b23224effea3de56d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7762978.exe

Filesize
141KB

MD5
58b01d5640e5cf7e0bf132dc6ac538e7

SHA1
2c05112988fa82a585662f21956bbec096993f4c

SHA256
1caa53722efc8235b6d3195dff29ce90b7985353dad1f9eb2053175848a7034c

SHA512
3491498dc4fd474e32a606375b805e3e7f066aea160dbff3ab489a46e2a6b244c3d37e05481e3be8ca84fd7a0c4607c22ef491c2aad85b23224effea3de56d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
332KB

MD5
a006bde111e76b01a6bb5f080df506bc

SHA1
3cf8a58267405c05debc5d40cbe89f572d5fa144

SHA256
247f57980c312863a7e2f08bd3a00b93e66d627f776802a8edc12acf8914b110

SHA512
938af702b3ff343c2f4efad35486fd461a534460b750a4126d4c6edc74cf34d8c1a1d8e436eab2723837ac66bab391c61e238cc400b2f2909e7b84d2e9f07695

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
332KB

MD5
a006bde111e76b01a6bb5f080df506bc

SHA1
3cf8a58267405c05debc5d40cbe89f572d5fa144

SHA256
247f57980c312863a7e2f08bd3a00b93e66d627f776802a8edc12acf8914b110

SHA512
938af702b3ff343c2f4efad35486fd461a534460b750a4126d4c6edc74cf34d8c1a1d8e436eab2723837ac66bab391c61e238cc400b2f2909e7b84d2e9f07695

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
332KB

MD5
a006bde111e76b01a6bb5f080df506bc

SHA1
3cf8a58267405c05debc5d40cbe89f572d5fa144

SHA256
247f57980c312863a7e2f08bd3a00b93e66d627f776802a8edc12acf8914b110

SHA512
938af702b3ff343c2f4efad35486fd461a534460b750a4126d4c6edc74cf34d8c1a1d8e436eab2723837ac66bab391c61e238cc400b2f2909e7b84d2e9f07695

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
332KB

MD5
a006bde111e76b01a6bb5f080df506bc

SHA1
3cf8a58267405c05debc5d40cbe89f572d5fa144

SHA256
247f57980c312863a7e2f08bd3a00b93e66d627f776802a8edc12acf8914b110

SHA512
938af702b3ff343c2f4efad35486fd461a534460b750a4126d4c6edc74cf34d8c1a1d8e436eab2723837ac66bab391c61e238cc400b2f2909e7b84d2e9f07695

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
5bc0153d2973241b72a38c51a2f72116

SHA1
cd9c689663557452631d9f8ff609208b01884a32

SHA256
68ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554

SHA512
2eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b

Download Submit
memory/4520-27-0x0000000071F50000-0x000000007263E000-memory.dmp

Filesize
6.9MB

Download
memory/4520-31-0x000000000A6A0000-0x000000000A6B2000-memory.dmp

Filesize
72KB

Download
memory/4520-32-0x000000000A700000-0x000000000A73E000-memory.dmp

Filesize
248KB

Download
memory/4520-33-0x000000000A880000-0x000000000A8CB000-memory.dmp

Filesize
300KB

Download
memory/4520-34-0x0000000071F50000-0x000000007263E000-memory.dmp

Filesize
6.9MB

Download
memory/4520-30-0x000000000A770000-0x000000000A87A000-memory.dmp

Filesize
1.0MB

Download
memory/4520-29-0x000000000ABF0000-0x000000000B1F6000-memory.dmp

Filesize
6.0MB

Download
memory/4520-28-0x00000000011D0000-0x00000000011D6000-memory.dmp

Filesize
24KB

Download
memory/4520-26-0x0000000000960000-0x0000000000990000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads