amadey | 45e94c10bbc148cc1f0e810ef4a64b3b2814960515bbe6c69d8570dde960e0b2

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe
Size

514KB
MD5

90f4e7656cd4f2ff21d306e9a2127aa8
SHA1

d7c5ac2b853e2ffb6281a91e1d48a652fdb4ab4b
SHA256

2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7
SHA512

cc4a87aab9ee3c6290dd6eefd14e2297f24f9738cad755bb462d402ab408fdbd27d196e5a44475e3a4296c0f959305d645187297fa12f76464f652d040651e15
SSDEEP

12288:kMrvy90pmeitVqabcxZthOFvD2ZT58iro7:7yAitsKcxZtsvCLE

Score

10^/10

amadey healer redline smokeloader krast backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral7/files/0x0008000000023430-20.dat	healer
behavioral7/memory/1776-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4426601.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4426601.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4426601.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4426601.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4426601.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4426601.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/memory/1512-45-0x0000000000190000-0x00000000001C0000-memory.dmp	family_redline
behavioral7/files/0x000700000002342b-44.dat	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	pdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	b8095379.exe

Executes dropped EXE 9 IoCs

pid	Process
3796	v7811642.exe
2128	v1955735.exe
1776	a4426601.exe
4980	b8095379.exe
4476	pdates.exe
2600	c5089515.exe
1512	d2061509.exe
3260	pdates.exe
3704	pdates.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4426601.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7811642.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1955735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5089515.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5089515.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5089515.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1776	a4426601.exe
1776	a4426601.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	a4426601.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3796	4460	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe	84
PID 4460 wrote to memory of 3796	4460	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe	84
PID 4460 wrote to memory of 3796	4460	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe	84
PID 3796 wrote to memory of 2128	3796	v7811642.exe	85
PID 3796 wrote to memory of 2128	3796	v7811642.exe	85
PID 3796 wrote to memory of 2128	3796	v7811642.exe	85
PID 2128 wrote to memory of 1776	2128	v1955735.exe	86
PID 2128 wrote to memory of 1776	2128	v1955735.exe	86
PID 2128 wrote to memory of 4980	2128	v1955735.exe	95
PID 2128 wrote to memory of 4980	2128	v1955735.exe	95
PID 2128 wrote to memory of 4980	2128	v1955735.exe	95
PID 4980 wrote to memory of 4476	4980	b8095379.exe	97
PID 4980 wrote to memory of 4476	4980	b8095379.exe	97
PID 4980 wrote to memory of 4476	4980	b8095379.exe	97
PID 3796 wrote to memory of 2600	3796	v7811642.exe	98
PID 3796 wrote to memory of 2600	3796	v7811642.exe	98
PID 3796 wrote to memory of 2600	3796	v7811642.exe	98
PID 4460 wrote to memory of 1512	4460	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe	99
PID 4460 wrote to memory of 1512	4460	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe	99
PID 4460 wrote to memory of 1512	4460	2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe	99
PID 4476 wrote to memory of 4760	4476	pdates.exe	100
PID 4476 wrote to memory of 4760	4476	pdates.exe	100
PID 4476 wrote to memory of 4760	4476	pdates.exe	100
PID 4476 wrote to memory of 4076	4476	pdates.exe	102
PID 4476 wrote to memory of 4076	4476	pdates.exe	102
PID 4476 wrote to memory of 4076	4476	pdates.exe	102
PID 4076 wrote to memory of 3708	4076	cmd.exe	104
PID 4076 wrote to memory of 3708	4076	cmd.exe	104
PID 4076 wrote to memory of 3708	4076	cmd.exe	104
PID 4076 wrote to memory of 3328	4076	cmd.exe	105
PID 4076 wrote to memory of 3328	4076	cmd.exe	105
PID 4076 wrote to memory of 3328	4076	cmd.exe	105
PID 4076 wrote to memory of 2296	4076	cmd.exe	106
PID 4076 wrote to memory of 2296	4076	cmd.exe	106
PID 4076 wrote to memory of 2296	4076	cmd.exe	106
PID 4076 wrote to memory of 640	4076	cmd.exe	107
PID 4076 wrote to memory of 640	4076	cmd.exe	107
PID 4076 wrote to memory of 640	4076	cmd.exe	107
PID 4076 wrote to memory of 728	4076	cmd.exe	108
PID 4076 wrote to memory of 728	4076	cmd.exe	108
PID 4076 wrote to memory of 728	4076	cmd.exe	108
PID 4076 wrote to memory of 2352	4076	cmd.exe	109
PID 4076 wrote to memory of 2352	4076	cmd.exe	109
PID 4076 wrote to memory of 2352	4076	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe
"C:\Users\Admin\AppData\Local\Temp\2ea5e26c1500a47dc848fdffa31210f94311df256bb6bd7b359e4af6894023e7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4760
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        7⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        7⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        7⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        7⤵
        
        PID:2352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe
  2⤵
  - Executes dropped EXE
  PID:1512

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2061509.exe

Filesize
172KB

MD5
f3d4c9732520988f37640af8592b4d4f

SHA1
439c8330fafbb18ca5bfb910ba6072b0d6c344ea

SHA256
5308702f0f353193c42c209eb946a64d65aafb3b8543cfed37ef8b79a9477c11

SHA512
67d76224af187bbe39a9c7a3b6cea6becc77d887cc3ac89513d006f8331ce60506d783b2034a8a2083bda1767ea1fa9dbcc9a52a7f1fc554065ca2f1927bd2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7811642.exe

Filesize
359KB

MD5
1b5c60006cf65f19efde04faf393ff26

SHA1
79b21b5c269f61e83bded7046cac7a74c8d03a26

SHA256
5d444bb020b097b1a1601470bff8ed4f721ca9833ed2645d13e7bb941f933c92

SHA512
761a77a6ff1f8eda021d9827eb1a7af15d51ff792f1d34af0d965701e1eb756e148ace1f294cc753d1cc8469c0350b942cae76fccde6c206f5e574b22dd6662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5089515.exe

Filesize
35KB

MD5
4d10444994d8bcb46db1b0169d70408c

SHA1
cb75bd6e3f9a211e3f6f0edd621c4d19f3cbb932

SHA256
f3f96017154ef1ac7b8a8e402b1f4ec838b4cbf90b17d91fbd41c9d80fe93b73

SHA512
ff14d0549a3f9aae43c2535970fcb73c7287603eaed8f6ef02865d1137e6d0a83349eb19d088c162ed140e01689b62beba29a3b0081a15d6d538f5bc4836692f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1955735.exe

Filesize
234KB

MD5
fc78db6faef23ec53cf6d28a8d2413e5

SHA1
909012f46132d8e495fbb87aa929a34896e0abff

SHA256
f64c365cf9ebf6b3d3c2c5fa5d606e6108cb7cbdca2d3c5a584265cdfe86af19

SHA512
94da1949fb511f63aecb67cd890c6da681df8d7e8cf363547ae789c092209cb1c6f93b3f2880beca3d76b8b9ce4da397c0fd8edf1476ea4b163cfd3915e7b560

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4426601.exe

Filesize
11KB

MD5
4a52f5ac63c258eb43a31d19c1ef0f10

SHA1
e234ac66b801fe1be51c144206a811809b2b53ef

SHA256
45c201511196955b077ff6d298ab9d6f10cc394dfa6f91a746d10246db41ab00

SHA512
15c2c18b9b19fdbd6744b81687f92263114a363b1cc32af2483676ab465c4a9f4eac35553212f331808744c7abb159b25b521556ec5a5b766b468f93d6fbcbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8095379.exe

Filesize
223KB

MD5
6ea3f44322a07b398f06762b5a7e09a1

SHA1
af77a595623910bf513a34e8308ea69efb9a2a91

SHA256
2ad18f623171a8873c4d292125e8b1d2421172d6ba472d49f1d2988872b87266

SHA512
a4edbb71f501caa94c48c7a1c0e0766eb693e138e47aad8b59a695f313cb5322dda91d95225a1034db386c186103dbfe28f3a27e9c3d40c86a2721f33a04121a

Download Submit
memory/1512-49-0x0000000009F40000-0x0000000009F52000-memory.dmp

Filesize
72KB

Download
memory/1512-48-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/1512-46-0x0000000004970000-0x0000000004976000-memory.dmp

Filesize
24KB

Download
memory/1512-47-0x000000000A510000-0x000000000AB28000-memory.dmp

Filesize
6.1MB

Download
memory/1512-45-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/1512-50-0x0000000009FA0000-0x0000000009FDC000-memory.dmp

Filesize
240KB

Download
memory/1512-51-0x0000000002310000-0x000000000235C000-memory.dmp

Filesize
304KB

Download
memory/1776-21-0x00007FFE3E773000-0x00007FFE3E775000-memory.dmp

Filesize
8KB

Download
memory/1776-22-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/2600-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2600-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download