amadey | b0775c8fcdd8ebb0123f9b03757952498595475777fac3bbde3e90ed10d13558

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
Size

515KB
MD5

1b6ca4b3887874447697d2dac0664cf5
SHA1

0b2ef46a6bd9883b04ecaf8ae6fc47df13e2f8f2
SHA256

f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41
SHA512

4435a0bfc90dd2574a28ce91d519a4566ff85413fb13b5c6690d2e868410abda41ebd05e4129f20fdfafb989d5f2bf424ef84234925ebb33123e0a434a4d6a5d
SSDEEP

12288:XMrfy90fa+YaQ3g3aNwmYu4neyzKmErzq93TU1cFdsJ:4y0a+YahqJYuGey2HAEJ

Score

10^/10

amadey healer redline smokeloader lande backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral23/files/0x00080000000233d1-19.dat	healer
behavioral23/memory/3040-22-0x0000000000880000-0x000000000088A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6513102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6513102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6513102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6513102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6513102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6513102.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral23/files/0x00070000000233cc-43.dat	family_redline
behavioral23/memory/4928-45-0x0000000000440000-0x0000000000470000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	b1736941.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 10 IoCs

pid	Process
4332	v9071750.exe
216	v1399127.exe
3040	a6513102.exe
1824	b1736941.exe
3576	pdates.exe
2188	c2251742.exe
4204	pdates.exe
4928	d4275669.exe
2884	pdates.exe
4380	pdates.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6513102.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9071750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1399127.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2251742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2251742.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2251742.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	a6513102.exe
3040	a6513102.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	a6513102.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1824	b1736941.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4332	2128	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe	83
PID 2128 wrote to memory of 4332	2128	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe	83
PID 2128 wrote to memory of 4332	2128	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe	83
PID 4332 wrote to memory of 216	4332	v9071750.exe	85
PID 4332 wrote to memory of 216	4332	v9071750.exe	85
PID 4332 wrote to memory of 216	4332	v9071750.exe	85
PID 216 wrote to memory of 3040	216	v1399127.exe	86
PID 216 wrote to memory of 3040	216	v1399127.exe	86
PID 216 wrote to memory of 1824	216	v1399127.exe	88
PID 216 wrote to memory of 1824	216	v1399127.exe	88
PID 216 wrote to memory of 1824	216	v1399127.exe	88
PID 1824 wrote to memory of 3576	1824	b1736941.exe	89
PID 1824 wrote to memory of 3576	1824	b1736941.exe	89
PID 1824 wrote to memory of 3576	1824	b1736941.exe	89
PID 4332 wrote to memory of 2188	4332	v9071750.exe	90
PID 4332 wrote to memory of 2188	4332	v9071750.exe	90
PID 4332 wrote to memory of 2188	4332	v9071750.exe	90
PID 3576 wrote to memory of 3512	3576	pdates.exe	91
PID 3576 wrote to memory of 3512	3576	pdates.exe	91
PID 3576 wrote to memory of 3512	3576	pdates.exe	91
PID 3576 wrote to memory of 4472	3576	pdates.exe	93
PID 3576 wrote to memory of 4472	3576	pdates.exe	93
PID 3576 wrote to memory of 4472	3576	pdates.exe	93
PID 4472 wrote to memory of 4788	4472	cmd.exe	95
PID 4472 wrote to memory of 4788	4472	cmd.exe	95
PID 4472 wrote to memory of 4788	4472	cmd.exe	95
PID 4472 wrote to memory of 5084	4472	cmd.exe	96
PID 4472 wrote to memory of 5084	4472	cmd.exe	96
PID 4472 wrote to memory of 5084	4472	cmd.exe	96
PID 4472 wrote to memory of 3196	4472	cmd.exe	97
PID 4472 wrote to memory of 3196	4472	cmd.exe	97
PID 4472 wrote to memory of 3196	4472	cmd.exe	97
PID 4472 wrote to memory of 3684	4472	cmd.exe	98
PID 4472 wrote to memory of 3684	4472	cmd.exe	98
PID 4472 wrote to memory of 3684	4472	cmd.exe	98
PID 4472 wrote to memory of 3052	4472	cmd.exe	99
PID 4472 wrote to memory of 3052	4472	cmd.exe	99
PID 4472 wrote to memory of 3052	4472	cmd.exe	99
PID 4472 wrote to memory of 3680	4472	cmd.exe	100
PID 4472 wrote to memory of 3680	4472	cmd.exe	100
PID 4472 wrote to memory of 3680	4472	cmd.exe	100
PID 2128 wrote to memory of 4928	2128	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe	104
PID 2128 wrote to memory of 4928	2128	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe	104
PID 2128 wrote to memory of 4928	2128	f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe	104

C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe
"C:\Users\Admin\AppData\Local\Temp\f8a2da44f9c18482323d9e1ed99567d3a35b95656bc1b023d86e12f305565c41.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3512
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        7⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        7⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        7⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        7⤵
        
        PID:3680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe
  2⤵
  - Executes dropped EXE
  PID:4928

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4275669.exe

Filesize
174KB

MD5
35c0945f8c70c870c070eb2261d6bc04

SHA1
bfc1ffae759330be5a50c22829fb342bfc644aab

SHA256
e296c73bc0d4abe0e58a2200d0c1839c210debd4deb8b26aa83abc5a2f0aaa1d

SHA512
8c9e5e646dfcd6b592d516524128d34af326c55a153d77d240ddbe6f418f01be473231e78a1707d72b0fbe3ad367085fc76ff329d8d80515ac07288b5eda73b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9071750.exe

Filesize
359KB

MD5
88bee46f431c014c1e45417f6b13e124

SHA1
07588e0723944e251a6a2d9db4ed8e45d5f563f1

SHA256
f4dfc88066f344cec64c3c5076b4e1e051af9f333c455aa2f96daacc1d732999

SHA512
5a0c53df34632e2d21c12e572460d54bfe7de21035d44bc36764ed3c6410d661ee50c758366cc8b86c2447b54efab7c41479fb04468afee6b70b9cbbaf55e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2251742.exe

Filesize
36KB

MD5
88331cf94b56745070654ca04d4c7d98

SHA1
248ac76afce09c34082bad3fbd01ce73e4056f65

SHA256
32e850a828611bdf20e34f0ac6c397507ff4b140c2b13732b5bf389249693334

SHA512
a3173aaeb138cb46f951d1e6b103a424c91ee05b416cdc9080e3ac5ba6db33dd0431d1ba0b8228b379f6ea6631b5c6622a4875459ce1105a0b959722e7717f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1399127.exe

Filesize
234KB

MD5
8f620f99bbeba489fc4bddc2af02f9b8

SHA1
2e97752a24581dd229306cfad5763cf82f9c4f96

SHA256
26a1717813eedfd0569c474064d1e14eeba61b97bb26866c53a19428a448a3f5

SHA512
b5065ed02a3bdcb68461265bb56f9173a7f9a1c75d12cf1ae53c43224cf2aada5586a4ee122779d7c83b8e8130cc6a980080cd03c2cc751ce19ac5ea3b2caa03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6513102.exe

Filesize
13KB

MD5
12803f40ef0b813626de6e5eb0ec05b2

SHA1
27e32adac36ba9f4d54ecbf53e112158d4e988b5

SHA256
d320fcef46ae85d5f06133a3b8d4f5a7d2dff0886a86d981f3186f464fbb7abb

SHA512
84d7c28b03fdceb94e00fbcc838f203f6cd9e091b67b7ea8dad577a529a0d96eecf3b246a8548c9b7bef1e063aa96525f6b2148b5d0bb79b32a3415e9f151e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1736941.exe

Filesize
225KB

MD5
2b7ed1055ddd27afe675dd11da92357a

SHA1
3809cb22cbdda5ba5707892163217563020df5ca

SHA256
9d69e620d8bb7cb24c7d4831312351d09872badc8331594ce05afe46ff56ab3d

SHA512
549602e7e10ae1b006fafe9d6c1c09d35280a3af8815157dfa9b7664f16bf1682cc782585a24202dd150955073b5e648f0ad8a39add3f95ceeb51a5eb26fc641

Download Submit
memory/2188-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3040-22-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/3040-21-0x00007FFD84CC3000-0x00007FFD84CC5000-memory.dmp

Filesize
8KB

Download
memory/4928-45-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/4928-46-0x0000000004C20000-0x0000000004C26000-memory.dmp

Filesize
24KB

Download
memory/4928-47-0x000000000A730000-0x000000000AD48000-memory.dmp

Filesize
6.1MB

Download
memory/4928-48-0x000000000A2B0000-0x000000000A3BA000-memory.dmp

Filesize
1.0MB

Download
memory/4928-49-0x000000000A1F0000-0x000000000A202000-memory.dmp

Filesize
72KB

Download
memory/4928-50-0x000000000A250000-0x000000000A28C000-memory.dmp

Filesize
240KB

Download
memory/4928-51-0x0000000002700000-0x000000000274C000-memory.dmp

Filesize
304KB

Download