amadey | 7259a84f7267377ff79bf5454a63261e3968f585f32f1dc7efdcebe3485eba73

Analysis

max time kernel
40s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2023 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

277KB
MD5

5bfa29282fabb73dff1e459775ca7c3e
SHA1

3435e68516c3445dd9fcc0e062177594b5bf8308
SHA256

7259a84f7267377ff79bf5454a63261e3968f585f32f1dc7efdcebe3485eba73
SHA512

91e284341006c13eace4b28d28404284c11fb317a73125a2fbe584f290e52592d2f2da8b182441a034a3a2b3bc314e5a0b219ef8131a83a128387a71577c0eea
SSDEEP

3072:u6g0kPlK76IgZFKxfx2nF2wkFyVTaohKvKt:1UPlKeHmcF2wkY9azK

Score

10^/10

amadey lgoogloader redline smokeloader lux3 backdoor downloader infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Extracted

Family

redline

Botnet

lux3

176.123.9.142:14845

Attributes

auth_value
e94dff9a76da90d6b000642c4a52574b

Extracted

Family

amadey

Version

3.87

http://79.137.192.18/9bDc8sQ/index.php

Attributes

install_dir
577f58beff
install_file
yiueea.exe
strings_key
a5085075a537f09dec81cc154ec0af4d

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/1504-76-0x00000000012F0000-0x00000000012FD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1508	1008.exe
4888	127A.exe
1472	13D3.exe
1844	23C2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	file.exe
4292	file.exe
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found
3228	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4292	file.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found
Token: SeShutdownPrivilege	3228	Process not Found
Token: SeCreatePagefilePrivilege	3228	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1508	3228	Process not Found	79
PID 3228 wrote to memory of 1508	3228	Process not Found	79
PID 3228 wrote to memory of 1508	3228	Process not Found	79
PID 3228 wrote to memory of 4888	3228	Process not Found	80
PID 3228 wrote to memory of 4888	3228	Process not Found	80
PID 3228 wrote to memory of 4888	3228	Process not Found	80
PID 3228 wrote to memory of 1472	3228	Process not Found	82
PID 3228 wrote to memory of 1472	3228	Process not Found	82
PID 3228 wrote to memory of 1472	3228	Process not Found	82
PID 3228 wrote to memory of 1844	3228	Process not Found	83
PID 3228 wrote to memory of 1844	3228	Process not Found	83
PID 3228 wrote to memory of 1844	3228	Process not Found	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4292

C:\Users\Admin\AppData\Local\Temp\1008.exe
C:\Users\Admin\AppData\Local\Temp\1008.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Local\Temp\127A.exe
C:\Users\Admin\AppData\Local\Temp\127A.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\AppData\Local\Temp\13D3.exe
C:\Users\Admin\AppData\Local\Temp\13D3.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\AppData\Local\Temp\23C2.exe
C:\Users\Admin\AppData\Local\Temp\23C2.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\2625.exe
C:\Users\Admin\AppData\Local\Temp\2625.exe
1⤵
PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1504

C:\Users\Admin\AppData\Local\Temp\2981.exe
C:\Users\Admin\AppData\Local\Temp\2981.exe
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1008.exe

Filesize
785KB

MD5
f92f2eec85513885dd5862254be5f494

SHA1
20da4d8089afec4873cedf763007a222df721572

SHA256
6249c6dfd60d61b7e10ddbe52f4be48a8cd6c26da6cf71611ba7fc64617ac424

SHA512
0ca3146843808daa5a7fb8f243c7540c4e4b5cdf5463f903bc6b531a2fbc8fb2734ef8b102015a89a99e94b8f4e5f144ce2f527e377c5bde31605117723e3bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008.exe

Filesize
785KB

MD5
f92f2eec85513885dd5862254be5f494

SHA1
20da4d8089afec4873cedf763007a222df721572

SHA256
6249c6dfd60d61b7e10ddbe52f4be48a8cd6c26da6cf71611ba7fc64617ac424

SHA512
0ca3146843808daa5a7fb8f243c7540c4e4b5cdf5463f903bc6b531a2fbc8fb2734ef8b102015a89a99e94b8f4e5f144ce2f527e377c5bde31605117723e3bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\127A.exe

Filesize
261KB

MD5
eda1b6f6e01f038267413b3ae9d3eb23

SHA1
6e71d68c3496b513ba4f1b924fd46ddfdfb2c305

SHA256
7c34d3d22db889dfe3f1ab7e5810a04436330824da5a8fdecc03a987876d66da

SHA512
420b4cda1ab0ce3293a4954283cb12c53882f50b5aa5f0921b1bd915257694508d79420cb680ba36ef88636bc479e98e054549ca67d17f0e63d8f38d384b0c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\127A.exe

Filesize
261KB

MD5
eda1b6f6e01f038267413b3ae9d3eb23

SHA1
6e71d68c3496b513ba4f1b924fd46ddfdfb2c305

SHA256
7c34d3d22db889dfe3f1ab7e5810a04436330824da5a8fdecc03a987876d66da

SHA512
420b4cda1ab0ce3293a4954283cb12c53882f50b5aa5f0921b1bd915257694508d79420cb680ba36ef88636bc479e98e054549ca67d17f0e63d8f38d384b0c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D3.exe

Filesize
806KB

MD5
d27125ae65af3a6ce086eeae8fa41521

SHA1
70209d54e90908fc10f99af3cb38620bd744f93b

SHA256
4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea

SHA512
93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\13D3.exe

Filesize
806KB

MD5
d27125ae65af3a6ce086eeae8fa41521

SHA1
70209d54e90908fc10f99af3cb38620bd744f93b

SHA256
4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea

SHA512
93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\23C2.exe

Filesize
785KB

MD5
f92f2eec85513885dd5862254be5f494

SHA1
20da4d8089afec4873cedf763007a222df721572

SHA256
6249c6dfd60d61b7e10ddbe52f4be48a8cd6c26da6cf71611ba7fc64617ac424

SHA512
0ca3146843808daa5a7fb8f243c7540c4e4b5cdf5463f903bc6b531a2fbc8fb2734ef8b102015a89a99e94b8f4e5f144ce2f527e377c5bde31605117723e3bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\23C2.exe

Filesize
785KB

MD5
f92f2eec85513885dd5862254be5f494

SHA1
20da4d8089afec4873cedf763007a222df721572

SHA256
6249c6dfd60d61b7e10ddbe52f4be48a8cd6c26da6cf71611ba7fc64617ac424

SHA512
0ca3146843808daa5a7fb8f243c7540c4e4b5cdf5463f903bc6b531a2fbc8fb2734ef8b102015a89a99e94b8f4e5f144ce2f527e377c5bde31605117723e3bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\2625.exe

Filesize
2.0MB

MD5
ff7712b5d2dcafd6b9c775eecc8266a1

SHA1
a11c9bd80f1c80f057517fc555fcf9b53c327302

SHA256
51d0be1366d229621051abb5df81316256c997c46265be8c9fb6b6b01fd1ccb1

SHA512
a8dbf46d54d80dd206c61007c668bd93a00a4d8b35937cfdf1b723d69484bc6230763a0cd73b602e58392a0b6814c8143877b479709fd6ab03ea98eda61c0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2625.exe

Filesize
1.8MB

MD5
9898bd601cf56a383b830b392a36e379

SHA1
2359e1cbb3a40f9ab49ebd82d94ea787b7a8b0ab

SHA256
3b277cf38d325665e5b9318e5a6d4a0a943d0cc89d43a5742e5c741a285b8961

SHA512
b7ee2fa5e86842e34e19289588e7b5adc451b4aa5a7da77bad6090748429c21c74657fd0b3d23f94755732c4156bccac1156fbd1addc24971cdbc4a653eccf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2981.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2981.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
memory/1504-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-76-0x00000000012F0000-0x00000000012FD000-memory.dmp

Filesize
52KB

Download
memory/1504-74-0x00000000012C0000-0x00000000012C9000-memory.dmp

Filesize
36KB

Download
memory/1504-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1504-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3228-75-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-51-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-85-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-60-0x00000000080F0000-0x0000000008100000-memory.dmp

Filesize
64KB

Download
memory/3228-77-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-73-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-83-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-42-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-81-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-46-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-48-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-49-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-50-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-79-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-52-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-54-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-57-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-80-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-4-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

Filesize
88KB

Download
memory/3228-70-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-72-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/3228-69-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4292-8-0x0000000000980000-0x0000000000989000-memory.dmp

Filesize
36KB

Download
memory/4292-5-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/4292-3-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/4292-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/4292-2-0x0000000000980000-0x0000000000989000-memory.dmp

Filesize
36KB

Download
memory/4888-26-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4888-78-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4888-34-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4888-25-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/4888-30-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4888-31-0x0000000002450000-0x0000000002456000-memory.dmp

Filesize
24KB

Download
memory/4888-68-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4888-32-0x0000000005130000-0x0000000005748000-memory.dmp

Filesize
6.1MB

Download
memory/4888-33-0x0000000004B10000-0x0000000004C1A000-memory.dmp

Filesize
1.0MB

Download
memory/4888-37-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

Filesize
304KB

Download
memory/4888-36-0x0000000004C40000-0x0000000004C7C000-memory.dmp

Filesize
240KB

Download
memory/4888-35-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download