Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

0f3fc05fe2...99.exe

windows10-2004-x64

10

1437361c67...55.exe

windows10-2004-x64

10

23bea5b85d...33.exe

windows10-2004-x64

10

27054c4ef8...56.exe

windows10-2004-x64

10

2b700615cb...c1.exe

windows10-2004-x64

10

30fb90dbd1...b4.exe

windows10-2004-x64

10

312c299a84...a6.exe

windows7-x64

3

312c299a84...a6.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

627c0990f7...d9.exe

windows10-2004-x64

10

65db5d7052...3e.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

841ea03e18...82.exe

windows10-2004-x64

10

85594a9dff...ab.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

9a0ecac5f6...8e.exe

windows10-2004-x64

10

adaea581d9...c2.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1.exe

  • Size

    515KB

  • MD5

    468b8fb8fee779e9bb718ae1d50c891d

  • SHA1

    e829e9c23aced9a9b956ae9a3f58ad6c5b014ab3

  • SHA256

    2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1

  • SHA512

    0d8438c09c31c11d72fd3f28a4e39fba7ef6133728d2e6309a64b9236e1ef853b57bda48b8130d4ed2153616849869024e00a544dbcf95b6d858d0ec4d1c7cb5

  • SSDEEP

    12288:hMrTy900gkEayaYWCJZ80zpbB5akxvA5TcR2tXPs:aygkUWwZ80zpbB8k6E

Score
10/10
amadeyhealerredlinesmokeloadernewsbackdoordropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1.exe
    "C:\Users\Admin\AppData\Local\Temp\2b700615cbaa89c4d3e0272582a4db8e51bcfe6c3333a5be92e93784b2855ac1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5084
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4428
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1852
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:976
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:1196
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:4164
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:3976
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:4388
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:3648
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:1936
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:4068
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1556
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3580
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4820

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2581591.exe
                Filesize

                172KB

                MD5

                c53789658163743507e59840354aa22e

                SHA1

                5a338d9ef7b29ee707f808f61e2de07410d15e03

                SHA256

                e9d542fcd0f849685e817f35600986a37a2886f95c52f55f52988e40bdb225d1

                SHA512

                fafc23ac41d62c1a938ac2b277fd4ac0d7fdefcf9d0e1a9891c6ceca60e2f9ab3ac09f4f6e29607f6aa64db948a5b9d77f5e6d8f049371584cce7cb078b8c0bd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6722793.exe
                Filesize

                359KB

                MD5

                a84aec2543b96b819df1d6560a83b409

                SHA1

                4746f87511f4a706b498ce4b00ce04ab2ee34a96

                SHA256

                8e85fd1916d7aa4be4b6d5433fe4d7bfd6cc2b6345dc0e66944e47a32f53283e

                SHA512

                0d83d0790dc5103432caac5d3e8f099a24ef67e2c0f9da16a14611e0b515c12ee1da02b07b397863bbd0a1cd2983883d969ad900b093d0cb02a04526264db0e6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0555315.exe
                Filesize

                33KB

                MD5

                f20d18cd6b20d015eb19b47c477e1069

                SHA1

                c49feb19e0a0285e9a4565bf59184ae951d07939

                SHA256

                2f6378627677ef33a432850da660c8852b039ab0c2acfc11772d8cbe4b6a0bb8

                SHA512

                f26c33ba50517d39037f70764f0f032012bf378c8e7a75f65c7189a8b6a6f8857aaeda9c5ab0b9d1340a873e63715e05a239aa2b57a6bd4a387750b9a45f6ac2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0212287.exe
                Filesize

                235KB

                MD5

                7fb53a16038674b0ba753c48ce1c4d40

                SHA1

                d953a2339156d23dc5ae893aad21de6b5d30f749

                SHA256

                ab23c1eaa08a4c0824d555f3237b26870b9402e39a209383ba1b3a708b7c5fc0

                SHA512

                416e81c736465104999c4e609b1d22b63e4d34c303dc4d495eb0c47bc59bee5616f63ad673029e4ee51c0e24031e6ae4938f640492f6deb58f8908b89ab268e9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5482627.exe
                Filesize

                11KB

                MD5

                259bb29209ae2578fb8b7cc4a582acc1

                SHA1

                068f6221e70d483abf48150bd735a2ee27549788

                SHA256

                d64ae6f3530eb8737ac7907d75b40e3f68e5a5dc43fd215cb1926fd6d31164d4

                SHA512

                b0c893cc008329afbec7faa5cba70c025c31d72304d0ea411d7f25bf893908bae698984683a4f87c6f6962329936b092a503bc523a1b1050833f4c4948314f0f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9830090.exe
                Filesize

                229KB

                MD5

                3084ee705552dca8fd17dd8edff172ad

                SHA1

                93bc086ad91b72a88b4a9f97b7e626e19735cb44

                SHA256

                91363b4d41a2cfdb64c13bee2ff6c281fbf5ca0f72484beacbdb8182b31df29e

                SHA512

                3b49cee028c72e2ed6e0b5987a44fa93bdabc4e6e1012a6ebe76acef70cb1d27e31391f5b79eefff84603de3cce6b5156d2f12f50aaea80da4f55821d78493f3

                Download Submit

              • memory/1556-47-0x000000000AA70000-0x000000000AB7A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1556-44-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/1556-45-0x00000000053E0000-0x00000000053E6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1556-46-0x000000000AF00000-0x000000000B518000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/1556-48-0x000000000A9B0000-0x000000000A9C2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1556-49-0x000000000AA10000-0x000000000AA4C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1556-50-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4068-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/5084-22-0x00007FFFE03F3000-0x00007FFFE03F5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/5084-21-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

                Filesize

                40KB

                Download