amadey | d3b7e5cbe2980cd2fb6f7f30eaade26a956ec4a02e71ed37c80b263166b40ef2

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
Size

514KB
MD5

0fa62ebed394e0d1ca75a047dfcd8883
SHA1

c320dd1803bf38cd5822882b9c3aed0c0d2df000
SHA256

7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b
SHA512

d36d9c9ce7042ca5942ec1a762e109c21a717057b6895b8d1b74892c6b08ff7b017c7142012685eb2112ac6800344910e8f2086980887641717db5a20fb437da
SSDEEP

12288:VMrNy90LyyzBA8YCgPxn4VxjSadSX9zheZnSW:cykXgPaSadSX9tmnSW

Score

10^/10

amadey healer redline smokeloader roma backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

roma

77.91.68.56:19071

Attributes

auth_value
f099c2cf92834dbc554a94e1456cf576

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe	healer
behavioral10/memory/3040-21-0x00000000009F0000-0x00000000009FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a2141193.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2141193.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2141193.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2141193.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2141193.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2141193.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2141193.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe	family_redline
behavioral10/memory/2588-45-0x0000000000230000-0x0000000000260000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4366386.exedanke.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	b4366386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 10 IoCs

Processes:

v8266423.exev0782272.exea2141193.exeb4366386.exedanke.exec3646519.exed8228646.exedanke.exedanke.exedanke.exe

pid	process
692	v8266423.exe
3340	v0782272.exe
3040	a2141193.exe
3800	b4366386.exe
4864	danke.exe
3192	c3646519.exe
2588	d8228646.exe
2340	danke.exe
8	danke.exe
4964	danke.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a2141193.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2141193.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2141193.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v8266423.exev0782272.exe7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8266423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0782272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c3646519.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c3646519.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c3646519.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c3646519.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a2141193.exe

pid process

3040 a2141193.exe
3040 a2141193.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a2141193.exe

description pid process

Token: SeDebugPrivilege 3040 a2141193.exe

pid	process
3752	schtasks.exe

pid	process
3040	a2141193.exe
3040	a2141193.exe

description	pid	process
Token: SeDebugPrivilege	3040	a2141193.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exev8266423.exev0782272.exeb4366386.exedanke.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 692	1192	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe	v8266423.exe
PID 1192 wrote to memory of 692	1192	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe	v8266423.exe
PID 1192 wrote to memory of 692	1192	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe	v8266423.exe
PID 692 wrote to memory of 3340	692	v8266423.exe	v0782272.exe
PID 692 wrote to memory of 3340	692	v8266423.exe	v0782272.exe
PID 692 wrote to memory of 3340	692	v8266423.exe	v0782272.exe
PID 3340 wrote to memory of 3040	3340	v0782272.exe	a2141193.exe
PID 3340 wrote to memory of 3040	3340	v0782272.exe	a2141193.exe
PID 3340 wrote to memory of 3800	3340	v0782272.exe	b4366386.exe
PID 3340 wrote to memory of 3800	3340	v0782272.exe	b4366386.exe
PID 3340 wrote to memory of 3800	3340	v0782272.exe	b4366386.exe
PID 3800 wrote to memory of 4864	3800	b4366386.exe	danke.exe
PID 3800 wrote to memory of 4864	3800	b4366386.exe	danke.exe
PID 3800 wrote to memory of 4864	3800	b4366386.exe	danke.exe
PID 692 wrote to memory of 3192	692	v8266423.exe	c3646519.exe
PID 692 wrote to memory of 3192	692	v8266423.exe	c3646519.exe
PID 692 wrote to memory of 3192	692	v8266423.exe	c3646519.exe
PID 1192 wrote to memory of 2588	1192	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe	d8228646.exe
PID 1192 wrote to memory of 2588	1192	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe	d8228646.exe
PID 1192 wrote to memory of 2588	1192	7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe	d8228646.exe
PID 4864 wrote to memory of 3752	4864	danke.exe	schtasks.exe
PID 4864 wrote to memory of 3752	4864	danke.exe	schtasks.exe
PID 4864 wrote to memory of 3752	4864	danke.exe	schtasks.exe
PID 4864 wrote to memory of 4808	4864	danke.exe	cmd.exe
PID 4864 wrote to memory of 4808	4864	danke.exe	cmd.exe
PID 4864 wrote to memory of 4808	4864	danke.exe	cmd.exe
PID 4808 wrote to memory of 1344	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 1344	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 1344	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 4432	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 4432	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 4432	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 5048	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 5048	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 5048	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 4820	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 4820	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 4820	4808	cmd.exe	cmd.exe
PID 4808 wrote to memory of 4824	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 4824	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 4824	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 1576	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 1576	4808	cmd.exe	cacls.exe
PID 4808 wrote to memory of 1576	4808	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
"C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
6⤵
- Creates scheduled task(s)
PID:3752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1344

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
7⤵
PID:4432

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
7⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
7⤵
PID:4824

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
7⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
Filesize
174KB

MD5
497cc12633c7b690fc84fe172ff0a210

SHA1
7e9536fcd70a4c9ad1648b6b6c03f73402d72839

SHA256
53acb8295d1517e6cd156542b43e84bf57713a7962aa2feb2c787e5aa5603f5f

SHA512
699c014824c4ddd1ff9eb0f3cc669ee626645f098687bf8e54bd3f4c780eb7adb72e92789f078fb3ebfa872e308e09727914ad3913ad21162fcadbe033020629

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
Filesize
359KB

MD5
718ccdae6522b3565b00d5b5115a54a3

SHA1
2791911108e9025489c6a38e53a2d4647ae82ece

SHA256
41ce2351f24593197ae25dd9ebdcd3c80ba4fae58ab0da8bed75214c7090d3fc

SHA512
1c49c00dd8244dfe894531ffb34cf18db9d3067b0fe4471d3b049d7900933268b7290af53fe401db951746c800692b55b7222c56cf1c5d2ba7f9578e8cad6e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
Filesize
31KB

MD5
314fa0836479755b541b458a7c348818

SHA1
e19844a55994fe5b8b89eb9615b1b97f92836025

SHA256
b4514de3acdd6e051b3bb0aa10353c14310c726bb338a007ab9d46b3843341a7

SHA512
eb8d39b7cfe1b1a847549518b14b4ea85b98ec40bdfce423239560e48aee4cd6ea7f393ee81c916ab7aaa19024dfb33211c1991759a1a54f9a89afca0e98afd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
Filesize
235KB

MD5
3a307272bdc873647e125f30374ad454

SHA1
ec3832c7facaf5951522ccda4873ddb9c6a66734

SHA256
d1470ff18fc503704258b59863b706ddc9dd0b9ebddc89c3dcd6f37386590b9b

SHA512
2ec0adcf2b9fac89e9c14f75b71af6c0b4669c0571c64ff552c301b9f0f81c31c3dd048fdd68de5a450b6675a7d406fa7645b91d9f589936a971b3ac65871cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
Filesize
13KB

MD5
7fcbf387238b1edd626f4438f4754e56

SHA1
fc497bfd4594da7fc54580773335d14e676672fc

SHA256
f426ef07d2b5c8c64227e1d8d6ec1bc609e228255c341a1ac37ef90d4b477d7d

SHA512
3f6021efd6a3a696bf654c713a4fbb1f7e1e7aaf4c5f03769faa772e895268152654b00fe02f5b6c88efa4eed86e1bcb122a385714ec0ccce4d5c61b7efd5176

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
Filesize
225KB

MD5
c44455cce9ce61149ee6633001620646

SHA1
c5e1b8ae1ad1490e76eccfaaa9381921afe6e86c

SHA256
18ab09cc53d5236f8e572106e31040ff62f192115dad1518ea43ceb36c675730

SHA512
d2cd6db8246ab5ce4285035ece5a9290759a5f309240afcdc0f5ab0592bca44e46e39e9c7fac3387d571e0a532c5af3b091348ae5b58750911ffc889b64ba50d

Download Submit
memory/2588-51-0x0000000004C90000-0x0000000004CDC000-memory.dmp

Filesize
304KB

Download
memory/2588-48-0x0000000004D20000-0x0000000004E2A000-memory.dmp

Filesize
1.0MB

Download
memory/2588-50-0x0000000004C50000-0x0000000004C8C000-memory.dmp

Filesize
240KB

Download
memory/2588-49-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/2588-45-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2588-46-0x0000000002540000-0x0000000002546000-memory.dmp

Filesize
24KB

Download
memory/2588-47-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/3040-21-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/3040-22-0x00007FFBFB043000-0x00007FFBFB045000-memory.dmp

Filesize
8KB

Download
memory/3192-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3192-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download