amadey | 2a57fa0e264c30123d79d5a18397ff8ecfce4d9f58a5938c968ad3a9dd12e935

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe
Size

514KB
MD5

7d7d33850f01a172965d4ab3500f15ff
SHA1

6c3f6d557ce913e1b4e76c3325e21fdc9f8e1616
SHA256

c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c
SHA512

10f12ecca2c5643a50be160d7343b8f9b48a91efeb5da2b31dbae9b38794cfe944878c0d0fcd37c0786d5291c80a3b883e2d1499fd69b15ebda1790e427fb304
SSDEEP

12288:nMr7y90vbJ4/tt88tW+bsUlC1U/miz9LjHJWH:wy0m/tptW+YB+djpWH

Score

10^/10

amadey healer redline smokeloader nasa backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral20/files/0x0008000000023414-20.dat	healer
behavioral20/memory/4032-21-0x0000000000200000-0x000000000020A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8456713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8456713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8456713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8456713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8456713.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8456713.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x000700000002340f-42.dat	family_redline
behavioral20/memory/744-44-0x0000000000440000-0x0000000000470000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	b4258974.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 9 IoCs

pid	Process
1768	v3902161.exe
2912	v7126104.exe
4032	a8456713.exe
2624	b4258974.exe
3780	danke.exe
4872	c8249291.exe
744	d5692899.exe
4312	danke.exe
4372	danke.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8456713.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3902161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7126104.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8249291.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8249291.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8249291.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4032	a8456713.exe
4032	a8456713.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	a8456713.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1768	540	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe	83
PID 540 wrote to memory of 1768	540	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe	83
PID 540 wrote to memory of 1768	540	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe	83
PID 1768 wrote to memory of 2912	1768	v3902161.exe	84
PID 1768 wrote to memory of 2912	1768	v3902161.exe	84
PID 1768 wrote to memory of 2912	1768	v3902161.exe	84
PID 2912 wrote to memory of 4032	2912	v7126104.exe	85
PID 2912 wrote to memory of 4032	2912	v7126104.exe	85
PID 2912 wrote to memory of 2624	2912	v7126104.exe	95
PID 2912 wrote to memory of 2624	2912	v7126104.exe	95
PID 2912 wrote to memory of 2624	2912	v7126104.exe	95
PID 2624 wrote to memory of 3780	2624	b4258974.exe	96
PID 2624 wrote to memory of 3780	2624	b4258974.exe	96
PID 2624 wrote to memory of 3780	2624	b4258974.exe	96
PID 1768 wrote to memory of 4872	1768	v3902161.exe	97
PID 1768 wrote to memory of 4872	1768	v3902161.exe	97
PID 1768 wrote to memory of 4872	1768	v3902161.exe	97
PID 3780 wrote to memory of 4552	3780	danke.exe	98
PID 3780 wrote to memory of 4552	3780	danke.exe	98
PID 3780 wrote to memory of 4552	3780	danke.exe	98
PID 3780 wrote to memory of 2352	3780	danke.exe	100
PID 3780 wrote to memory of 2352	3780	danke.exe	100
PID 3780 wrote to memory of 2352	3780	danke.exe	100
PID 2352 wrote to memory of 964	2352	cmd.exe	102
PID 2352 wrote to memory of 964	2352	cmd.exe	102
PID 2352 wrote to memory of 964	2352	cmd.exe	102
PID 2352 wrote to memory of 4572	2352	cmd.exe	103
PID 2352 wrote to memory of 4572	2352	cmd.exe	103
PID 2352 wrote to memory of 4572	2352	cmd.exe	103
PID 2352 wrote to memory of 3520	2352	cmd.exe	104
PID 2352 wrote to memory of 3520	2352	cmd.exe	104
PID 2352 wrote to memory of 3520	2352	cmd.exe	104
PID 2352 wrote to memory of 3292	2352	cmd.exe	105
PID 2352 wrote to memory of 3292	2352	cmd.exe	105
PID 2352 wrote to memory of 3292	2352	cmd.exe	105
PID 2352 wrote to memory of 4144	2352	cmd.exe	106
PID 2352 wrote to memory of 4144	2352	cmd.exe	106
PID 2352 wrote to memory of 4144	2352	cmd.exe	106
PID 2352 wrote to memory of 3200	2352	cmd.exe	107
PID 2352 wrote to memory of 3200	2352	cmd.exe	107
PID 2352 wrote to memory of 3200	2352	cmd.exe	107
PID 540 wrote to memory of 744	540	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe	112
PID 540 wrote to memory of 744	540	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe	112
PID 540 wrote to memory of 744	540	c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe	112

C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe
"C:\Users\Admin\AppData\Local\Temp\c606fbb70c63714189a35096faef884c4cdff3a5f6572cd036c768cf51a7f67c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:N"
        7⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:R" /E
        7⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:N"
        7⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:R" /E
        7⤵
        
        PID:3200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe
  2⤵
  - Executes dropped EXE
  PID:744

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5692899.exe

Filesize
173KB

MD5
34ef4f81029267ba9ec9215ea8708c77

SHA1
56896a5c8c73edc04e6c06d296d9a147c58291e9

SHA256
d82612a97e9af5b993fd980c0ff88ea6aae412f468e767fa4dc5834f5eb097fc

SHA512
ea942464bd328de1d1ad3cc29bb2469b5a4911a82a10c9ded71e4b3e2453aa9fdf2d222b28b5777cfd281694ace97b738d43b804cb7de46aee3beeb76111026e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3902161.exe

Filesize
359KB

MD5
b6b6cf87eac65c335890d9fd1d89c575

SHA1
09ee828f9b389b705bdc2fc64edca9843016d2ce

SHA256
9ac360e32e0933ad998ec356103f4ede1a336e96e827a2df7d23affb3969bf87

SHA512
458b477c351011a9298f44ff69895998bf6422fc07cd7653a44e914c4ba37c5854965dbd6b2d9e28afb8fe0038651a19e27fe7983a6f1d453b5e2e1d3db65376

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c8249291.exe

Filesize
32KB

MD5
6730ca75691e640b557ce97ee0e00814

SHA1
75af9d26079baab5b905b6233072ef3e8d9fbb01

SHA256
f26bd54a582b8527acd3463e0d4265cd54c89af37ad4f2fccb37bba298cfd855

SHA512
999280742ca1c3570af5e8497da16e073dd5ff7aaf416795278ee3bdb7cf2a18662dbd8ecd82d64d60610fab52849a7a60c0b7bc9887f5c7c6c0d6af2b35bda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7126104.exe

Filesize
235KB

MD5
15d5dfc1ba9df672db8de31fb6a354fc

SHA1
97a902f04e2a43bb3cbd2a95c5a6de085d4d6dca

SHA256
bc11d9414f2c1e23731e2bc67436e6abfa68d78a67ae78de9980af3e60517534

SHA512
7bd20d27929109a48c870d22f63d25edcf89f8609b627b82e879b837e2c4c3aed844c1fcddde93bfe2fdc47c0aaa4f89c9ed29e52ad16526544fb9542f331586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8456713.exe

Filesize
14KB

MD5
535fc052b402d82cd7777d2d3870d045

SHA1
204bdb3df1e259aaf361cce9a4b3619d91823121

SHA256
235b3efd965e487e7449e8ac25556edce52209411d65d265e28beb32ca8c28d6

SHA512
3ad3e1d48e1aeb6ce7c80a07a3839d913f24feb3ee01ac5f7d5adf24f469b6066c3f9461efd4102ce9d8dcdbdcc8d45660143d8d4ea89d044b659cc455c29d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4258974.exe

Filesize
227KB

MD5
06152377e0aef018d98a791972e064a6

SHA1
ce9f468f37be3da7ee0a0839bed00e45c0ee8b94

SHA256
6c6d49fab7dcd627afca3332a3cdf19b4e4157e40af97bcf6730e7bbfbb8c661

SHA512
f22640f84c776c0c8188d3081cca5e1b963a4ad58169e9dd40b66eca4df643cf43cd0a66c2d4dd518a95e2b874f7da3cf6b50a8a0f0b3ec4659a5063853409a0

Download Submit
memory/744-47-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

Filesize
1.0MB

Download
memory/744-44-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/744-45-0x00000000071F0000-0x00000000071F6000-memory.dmp

Filesize
24KB

Download
memory/744-46-0x000000000A870000-0x000000000AE88000-memory.dmp

Filesize
6.1MB

Download
memory/744-48-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/744-49-0x000000000A390000-0x000000000A3CC000-memory.dmp

Filesize
240KB

Download
memory/744-50-0x00000000048B0000-0x00000000048FC000-memory.dmp

Filesize
304KB

Download
memory/4032-22-0x00007FFB53EB3000-0x00007FFB53EB5000-memory.dmp

Filesize
8KB

Download
memory/4032-21-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/4872-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download