amadey | d3b7e5cbe2980cd2fb6f7f30eaade26a956ec4a02e71ed37c80b263166b40ef2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
Size

390KB
MD5

0f6e9123147c19f2467905401e618e1b
SHA1

917abbb6f211d4a7662c8f05947e799452691601
SHA256

71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80
SHA512

151241129262e3de028e744556aa0ae408c5b469996892abd32ddd41dc86bc2a0e496e4bf2ed07c6a8cadff7643e3f0bc9b501eff36dd2b4a90b7ffef1e67e1f
SSDEEP

6144:Kvy+bnr+Kp0yN90QEH1EEZn+h2FJ3GVHY+M0NoAsjLSTJHAcihT9/2U8sC2dQ:RMruy90cETW4YdJHnihTcU9BdQ

Score

10^/10

amadey healer redline lande dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://5.42.92.67

Attributes

install_dir
ebb444342c
install_file
legola.exe
strings_key
5680b049188ecacbfa57b1b29c2f35a7
url_paths
/norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

77.91.124.84:19071

Attributes

auth_value
9fa41701c47df37786234f3373f21208

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe	healer
behavioral9/memory/2652-14-0x0000000000600000-0x000000000060A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

p0089499.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p0089499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p0089499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p0089499.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p0089499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p0089499.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p0089499.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe	family_redline
behavioral9/memory/4764-33-0x0000000000770000-0x00000000007A0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r2080448.exelegola.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	r2080448.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	legola.exe

Executes dropped EXE 8 IoCs

Processes:

z6127935.exep0089499.exer2080448.exelegola.exet7168966.exelegola.exelegola.exelegola.exe

pid process

1800 z6127935.exe
2652 p0089499.exe
3924 r2080448.exe
4932 legola.exe
4764 t7168966.exe
1272 legola.exe
2000 legola.exe
2140 legola.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

p0089499.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p0089499.exe

pid	process
1800	z6127935.exe
2652	p0089499.exe
3924	r2080448.exe
4932	legola.exe
4764	t7168966.exe
1272	legola.exe
2000	legola.exe
2140	legola.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p0089499.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exez6127935.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6127935.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3396 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

p0089499.exe

pid process

2652 p0089499.exe
2652 p0089499.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

p0089499.exe

description pid process

Token: SeDebugPrivilege 2652 p0089499.exe

pid	process
3396	schtasks.exe

pid	process
2652	p0089499.exe
2652	p0089499.exe

description	pid	process
Token: SeDebugPrivilege	2652	p0089499.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exez6127935.exer2080448.exelegola.execmd.exe

description	pid	process	target process
PID 4028 wrote to memory of 1800	4028	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe	z6127935.exe
PID 4028 wrote to memory of 1800	4028	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe	z6127935.exe
PID 4028 wrote to memory of 1800	4028	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe	z6127935.exe
PID 1800 wrote to memory of 2652	1800	z6127935.exe	p0089499.exe
PID 1800 wrote to memory of 2652	1800	z6127935.exe	p0089499.exe
PID 1800 wrote to memory of 3924	1800	z6127935.exe	r2080448.exe
PID 1800 wrote to memory of 3924	1800	z6127935.exe	r2080448.exe
PID 1800 wrote to memory of 3924	1800	z6127935.exe	r2080448.exe
PID 3924 wrote to memory of 4932	3924	r2080448.exe	legola.exe
PID 3924 wrote to memory of 4932	3924	r2080448.exe	legola.exe
PID 3924 wrote to memory of 4932	3924	r2080448.exe	legola.exe
PID 4028 wrote to memory of 4764	4028	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe	t7168966.exe
PID 4028 wrote to memory of 4764	4028	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe	t7168966.exe
PID 4028 wrote to memory of 4764	4028	71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe	t7168966.exe
PID 4932 wrote to memory of 3396	4932	legola.exe	schtasks.exe
PID 4932 wrote to memory of 3396	4932	legola.exe	schtasks.exe
PID 4932 wrote to memory of 3396	4932	legola.exe	schtasks.exe
PID 4932 wrote to memory of 1328	4932	legola.exe	cmd.exe
PID 4932 wrote to memory of 1328	4932	legola.exe	cmd.exe
PID 4932 wrote to memory of 1328	4932	legola.exe	cmd.exe
PID 1328 wrote to memory of 4284	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 4284	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 4284	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 4420	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 4420	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 4420	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 1684	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 1140	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 1140	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 1140	1328	cmd.exe	cmd.exe
PID 1328 wrote to memory of 1500	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 1500	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 1500	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 2088	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 2088	1328	cmd.exe	cacls.exe
PID 1328 wrote to memory of 2088	1328	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
"C:\Users\Admin\AppData\Local\Temp\71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
5⤵
- Creates scheduled task(s)
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4284

C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:N"
6⤵
PID:4420

C:\Windows\SysWOW64\cacls.exe
CACLS "legola.exe" /P "Admin:R" /E
6⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1140

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
6⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
6⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
2⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t7168966.exe
Filesize
174KB

MD5
8d389d073b2beebc6758e4426950acf1

SHA1
418b296c120f7d03a8fda12546f84abefe101bd7

SHA256
22052d0b22cb9fbf76cc9ce7d73630aae6709880c857d6c86e9297ba8728117c

SHA512
6382aa3ed4aec88b3ada0e001f8cca4d7ffeedb20650d4b63ce78dbad373d5b265954116604525e35af177b7cc0f729783560f20b04d0f8c90c76962ee277e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6127935.exe
Filesize
234KB

MD5
5cc11266b3d8b9fdfb73c46b6929c50c

SHA1
7a8b5a32269f1785a749a7f0577c2d9600fd9c84

SHA256
423dbbd7bdf741d19877d057fc05252d1464e68636e988bebd460e214986416b

SHA512
9b2fa4a88c467a2499c453505cdfdbf6fe22374d67e8ba4b45fa1da8594f126b155dbffcb9f2546b88814262feea677fc394ed36283172e88f80fc3ea85477fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0089499.exe
Filesize
13KB

MD5
5e9cb39b7fd0110e2b07b5bb53e46943

SHA1
78f74fd61257827ed4a010d04705431203e6ed37

SHA256
b45d8a5bdba93cfa6879367d146f3b62e17ea91d99bd28cd5598ba67b832a9f8

SHA512
aa50da7eb3806f572b4bd41ab3d857ab7a8ba6e1296e27c8c04f350220292cd01cf8b7e04535177943789f10fd6640a03cbd097e562bad5d08d710f407d0376a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2080448.exe
Filesize
224KB

MD5
b5b873d143037f6f5b0f786292fcaf34

SHA1
052639c3611d2df6b849e4da83b2bbebc978e8f0

SHA256
6d7d3363c6f6c7615e0106f45c36038ad4949ad828b8b549f28184f60a5c7767

SHA512
4f5047de6a84fd5e883a3c6bd8de5d995add661379c48bbdbd8758a7eef447ba7d08974fe70ccd7eac06e5adcc9f887c887d9e83cff9328269f35abf8cc37a2d

Download Submit
memory/2652-14-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2652-15-0x00007FFF636C3000-0x00007FFF636C5000-memory.dmp

Filesize
8KB

Download
memory/4764-33-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/4764-34-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/4764-35-0x00000000057D0000-0x0000000005DE8000-memory.dmp

Filesize
6.1MB

Download
memory/4764-36-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/4764-37-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/4764-38-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/4764-39-0x00000000051B0000-0x00000000051FC000-memory.dmp

Filesize
304KB

Download