amadey | 1fdd5f3e8505e6e6d5694fd5bb78388c9f5ca6f38c5a2c066159adca4a10d217

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe
Size

517KB
MD5

304a5b4567c0d0be82803f9105d5fa39
SHA1

a919586040a1f12db5fd80f938a8804940836609
SHA256

699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d
SHA512

e446ffa1b8155c72e3764da8341244505ccf3b298e692b9468b0bf4d893aea4bf643ace04dd39d735225ef27d7d2b25c9958a6ac92c81adc1e06df56f1d0a645
SSDEEP

12288:UMrTy90Q5hM4tG9jl9zVEL3SeN/MYvpBuV6Mqw9g:3y/heLzmLi5aXMqw9g

Score

10^/10

amadey healer redline papik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

papik

77.91.124.156:19071

Attributes

auth_value
325a615d8be5db8e2f7a4c2448fdac3a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral4/files/0x000800000002341d-19.dat	healer
behavioral4/memory/1712-21-0x0000000000CE0000-0x0000000000CEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6775914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6775914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6775914.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k6775914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6775914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6775914.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000700000002341b-38.dat	family_redline
behavioral4/memory/5116-40-0x0000000000F60000-0x0000000000F90000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	l7449951.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 9 IoCs

pid	Process
4552	y3729429.exe
1644	y0306942.exe
1712	k6775914.exe
1836	l7449951.exe
1048	pdates.exe
5116	m3659694.exe
1716	pdates.exe
4988	pdates.exe
4324	pdates.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6775914.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3729429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0306942.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	k6775914.exe
1712	k6775914.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	k6775914.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4552	2016	699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe	81
PID 2016 wrote to memory of 4552	2016	699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe	81
PID 2016 wrote to memory of 4552	2016	699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe	81
PID 4552 wrote to memory of 1644	4552	y3729429.exe	82
PID 4552 wrote to memory of 1644	4552	y3729429.exe	82
PID 4552 wrote to memory of 1644	4552	y3729429.exe	82
PID 1644 wrote to memory of 1712	1644	y0306942.exe	84
PID 1644 wrote to memory of 1712	1644	y0306942.exe	84
PID 1644 wrote to memory of 1836	1644	y0306942.exe	87
PID 1644 wrote to memory of 1836	1644	y0306942.exe	87
PID 1644 wrote to memory of 1836	1644	y0306942.exe	87
PID 1836 wrote to memory of 1048	1836	l7449951.exe	88
PID 1836 wrote to memory of 1048	1836	l7449951.exe	88
PID 1836 wrote to memory of 1048	1836	l7449951.exe	88
PID 4552 wrote to memory of 5116	4552	y3729429.exe	89
PID 4552 wrote to memory of 5116	4552	y3729429.exe	89
PID 4552 wrote to memory of 5116	4552	y3729429.exe	89
PID 1048 wrote to memory of 3492	1048	pdates.exe	90
PID 1048 wrote to memory of 3492	1048	pdates.exe	90
PID 1048 wrote to memory of 3492	1048	pdates.exe	90
PID 1048 wrote to memory of 1800	1048	pdates.exe	91
PID 1048 wrote to memory of 1800	1048	pdates.exe	91
PID 1048 wrote to memory of 1800	1048	pdates.exe	91
PID 1800 wrote to memory of 2704	1800	cmd.exe	94
PID 1800 wrote to memory of 2704	1800	cmd.exe	94
PID 1800 wrote to memory of 2704	1800	cmd.exe	94
PID 1800 wrote to memory of 1776	1800	cmd.exe	95
PID 1800 wrote to memory of 1776	1800	cmd.exe	95
PID 1800 wrote to memory of 1776	1800	cmd.exe	95
PID 1800 wrote to memory of 3264	1800	cmd.exe	96
PID 1800 wrote to memory of 3264	1800	cmd.exe	96
PID 1800 wrote to memory of 3264	1800	cmd.exe	96
PID 1800 wrote to memory of 3408	1800	cmd.exe	97
PID 1800 wrote to memory of 3408	1800	cmd.exe	97
PID 1800 wrote to memory of 3408	1800	cmd.exe	97
PID 1800 wrote to memory of 924	1800	cmd.exe	98
PID 1800 wrote to memory of 924	1800	cmd.exe	98
PID 1800 wrote to memory of 924	1800	cmd.exe	98
PID 1800 wrote to memory of 1788	1800	cmd.exe	99
PID 1800 wrote to memory of 1788	1800	cmd.exe	99
PID 1800 wrote to memory of 1788	1800	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe
"C:\Users\Admin\AppData\Local\Temp\699bfc597d56fb4ed7153a5a4fe2851361b9e27b9b8c3109277f0c5a54afbe1d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3729429.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3729429.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0306942.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0306942.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6775914.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6775914.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7449951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7449951.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        7⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        7⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        7⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        7⤵
        
        PID:1788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m3659694.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m3659694.exe
    3⤵
    - Executes dropped EXE
    PID:5116

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3729429.exe

Filesize
390KB

MD5
ac7160a3a1348b7da03856747d06cf62

SHA1
1eeb5c204b328ecd5e2f6fec87f0be66f2602ba0

SHA256
45c8c7c27353265cc8a41357f40d155ee0c4ebf38b4722ead8f651e01a5d001a

SHA512
8c462e4223107889a21b3d4902f15dc2ec9ec5d8ab96decac7008494d0716169bcd83ba26c9ab35e5181b9375342944885e6536bec1a433cb27925ffe50ddffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m3659694.exe

Filesize
173KB

MD5
fb09612d0dd2b03ce603878fff07c077

SHA1
fb14d2f355ca622380094f177c53a2dbd15a7487

SHA256
6fd99c1761ebdf1efe85564483359243f88ade8bd5d5251f7293adf2544d884f

SHA512
100e6e11fa04487211bb58e174809832a2d98608bf35132c66039f00eb717e3abe5ae892c05ac547b9ed7703f3204a1b6ab9a86b54dcfefbf83389bfd9514a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0306942.exe

Filesize
234KB

MD5
834db7514f3b88e0224a3fb67eb4a3e5

SHA1
92d34c7475354901c3468dabe5ca242913ef43d6

SHA256
3cdc96c0625f6512cc0c44ab69c68d526f5bcf60a58db6ec7ba7571351e6f209

SHA512
01ec41806b2baac375386b87bfff951c3781a9c3a470881e9b236fbb1ef44034213df9855d3f703d34f4e1cbca811a09970ffc8bcad5535939e0974df15c0c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6775914.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7449951.exe

Filesize
223KB

MD5
aea234064483f651010cf9d981f59fea

SHA1
002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

SHA256
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

SHA512
eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

Download Submit
memory/1712-22-0x00007FFAE55B3000-0x00007FFAE55B5000-memory.dmp

Filesize
8KB

Download
memory/1712-21-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/5116-40-0x0000000000F60000-0x0000000000F90000-memory.dmp

Filesize
192KB

Download
memory/5116-41-0x0000000003350000-0x0000000003356000-memory.dmp

Filesize
24KB

Download
memory/5116-42-0x0000000006040000-0x0000000006658000-memory.dmp

Filesize
6.1MB

Download
memory/5116-43-0x0000000005B30000-0x0000000005C3A000-memory.dmp

Filesize
1.0MB

Download
memory/5116-44-0x0000000005A40000-0x0000000005A52000-memory.dmp

Filesize
72KB

Download
memory/5116-45-0x0000000005AA0000-0x0000000005ADC000-memory.dmp

Filesize
240KB

Download
memory/5116-46-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download