Overview

overview

10

Static

static

3

30b55fc29e...75.exe

windows10-2004-x64

10

4f6b8faa68...86.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

699bfc597d...1d.exe

windows10-2004-x64

10

844b5b7693...ab.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

9cf3d2bf3c...cb.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

d0ab8687e3...e2.exe

windows10-2004-x64

10

fb468a211d...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3.exe

  • Size

    390KB

  • MD5

    7f7259536faba88247841cf1adf8332b

  • SHA1

    d5dead80e018787370e99753e2af59c8ed7fa887

  • SHA256

    fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3

  • SHA512

    072a4a03f0d623445fe20d401adc93cdd27425d508e6f8922efa48d5b05f82b645fb8031a04795c31bb5e1d49e672418a3bcf6a392deefe550501593134b1cac

  • SSDEEP

    12288:nMrUy90VMtGfE/7XH8MxeCVcEEKzVy6a3mB:DyTtGszXHLbmEEqVy6r

Score
10/10
amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3.exe
    "C:\Users\Admin\AppData\Local\Temp\fb468a211d9a74c5355215200cc2031ec364c8d8a99456c4a189cfea35cb72c3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1535374.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1535374.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8772823.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8772823.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2173793.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2173793.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
          "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:8
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3040
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4060
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:3608
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "legola.exe" /P "Admin:N"
                6⤵
                  PID:2208
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "legola.exe" /P "Admin:R" /E
                  6⤵
                    PID:4288
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:4344
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\ebb444342c" /P "Admin:N"
                      6⤵
                        PID:4588
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\ebb444342c" /P "Admin:R" /E
                        6⤵
                          PID:1604
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1762830.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1762830.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1736
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:4904
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:1668
              • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                1⤵
                • Executes dropped EXE
                PID:4784

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1762830.exe
                Filesize

                173KB

                MD5

                75d519bc71b0df0a05230e5286d83eed

                SHA1

                aa159aec36da401a6d5642ee0062dc66b589d7c9

                SHA256

                c807bc1d72e78993834caa44014201fd6a452584796e1f235ddfa06d323f922b

                SHA512

                40caf2d52f749db43ace3f1096621bc75addb5d72a55d9e7679232a232afe37e10c761784d170e6e5bfa7bc3266ffc467ef73fb9829da3d96a89a14d8b623e10

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1535374.exe
                Filesize

                234KB

                MD5

                1d3d74bce4cb86fe40dbdc82ec30e7b4

                SHA1

                2c9a7d4a707653cfb7b9a95bf16b945c6fae5b7e

                SHA256

                7b36cf0c753c77b6a720fad0d6f89fb4bbef21ac4112d3be789cca1fa7ef90f7

                SHA512

                13b007ba56e851b3754e8d218c0e13b1d40fa67ebcb40506a2fc7c54e2375f05064a49a68ad0592c3a0c02cafc3c9f9334119e8c323de71979d428540df25288

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8772823.exe
                Filesize

                12KB

                MD5

                f05cae077054672e94dd380d619747bc

                SHA1

                7c7b8e4faff43907150a64b9a95780ba86e7e00a

                SHA256

                f10f71cb8281e6bfd5bcfb5cf0fc2db40bab75ee542f842fa1934907b1d9c5f5

                SHA512

                1441725f868c5d41b441854eb768671ac4f3c6acf0c8c77b13c9b69db707bbdd4f6dc45c8f87881029379d0d91ce89bd97261a1a3252ccd546d43566bd3e7256

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2173793.exe
                Filesize

                224KB

                MD5

                f0ea5fc3ee2d81c71088845831d67224

                SHA1

                d8ebaf6aeb50bbf7c71039fe97e8f2174890a15f

                SHA256

                32085e88d7f4690ec7e037931fb7edc354a7ae65b13ea4f48fcd5698b4ac98a3

                SHA512

                80c784633aebc411fc025379b2b15f5af7bad08ce8f6fb0e46879f58da9cea0a7520368fbbfcc227ecf35130a72eb41dba0941a75718c14e2eaf680a255008fd

                Download Submit

              • memory/1736-36-0x000000000A0B0000-0x000000000A1BA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1736-33-0x0000000000240000-0x0000000000270000-memory.dmp

                Filesize

                192KB

                Download

              • memory/1736-34-0x0000000004B60000-0x0000000004B66000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1736-35-0x000000000A550000-0x000000000AB68000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/1736-37-0x0000000009FF0000-0x000000000A002000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1736-38-0x000000000A050000-0x000000000A08C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1736-39-0x0000000004550000-0x000000000459C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4984-15-0x00007FFD5D423000-0x00007FFD5D425000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4984-14-0x0000000000630000-0x000000000063A000-memory.dmp

                Filesize

                40KB

                Download