amadey | e22a5cadeacc1a9d95354d85bdc17f6ab2dc5d23efe7df6d3d4683fb7b881a52

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe
Size

514KB
MD5

1e6d11e2a9a40c2d205a289ef607ae24
SHA1

f26f81b52bed31e6603334652139784d0a8bfaac
SHA256

678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33
SHA512

be2d827e7ad204b3b92c2c83f67a02e62cf4748c6b322493db36b282374d2c53aeb774a6a0f1eb465215e8ce6f956f6ee9f437da9606c8bf1dfc47a036b43d72
SSDEEP

12288:aMray90Q3D/EZvDisHKwoWljc/MistLDMn2OxRfsfO0lNKc:AyfEyMY/MiKLDqHRfsfO8Nn

Score

10^/10

amadey healer redline smokeloader krast backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe	healer
behavioral10/memory/1200-21-0x0000000000760000-0x000000000076A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a8697821.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8697821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8697821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8697821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8697821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8697821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8697821.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe	family_redline
behavioral10/memory/4796-45-0x0000000000D40000-0x0000000000D70000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7297296.exepdates.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b7297296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 9 IoCs

Processes:

v2156243.exev4542108.exea8697821.exeb7297296.exepdates.exec6702400.exed4301600.exepdates.exepdates.exe

pid process

3572 v2156243.exe
3480 v4542108.exe
1200 a8697821.exe
4580 b7297296.exe
456 pdates.exe
940 c6702400.exe
4796 d4301600.exe
2324 pdates.exe
1408 pdates.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a8697821.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8697821.exe

pid	process
3572	v2156243.exe
3480	v4542108.exe
1200	a8697821.exe
4580	b7297296.exe
456	pdates.exe
940	c6702400.exe
4796	d4301600.exe
2324	pdates.exe
1408	pdates.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8697821.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exev2156243.exev4542108.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2156243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4542108.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c6702400.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6702400.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6702400.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c6702400.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2508 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a8697821.exe

pid process

1200 a8697821.exe
1200 a8697821.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a8697821.exe

description pid process

Token: SeDebugPrivilege 1200 a8697821.exe

pid	process
2508	schtasks.exe

pid	process
1200	a8697821.exe
1200	a8697821.exe

description	pid	process
Token: SeDebugPrivilege	1200	a8697821.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exev2156243.exev4542108.exeb7297296.exepdates.execmd.exe

description	pid	process	target process
PID 1376 wrote to memory of 3572	1376	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe	v2156243.exe
PID 1376 wrote to memory of 3572	1376	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe	v2156243.exe
PID 1376 wrote to memory of 3572	1376	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe	v2156243.exe
PID 3572 wrote to memory of 3480	3572	v2156243.exe	v4542108.exe
PID 3572 wrote to memory of 3480	3572	v2156243.exe	v4542108.exe
PID 3572 wrote to memory of 3480	3572	v2156243.exe	v4542108.exe
PID 3480 wrote to memory of 1200	3480	v4542108.exe	a8697821.exe
PID 3480 wrote to memory of 1200	3480	v4542108.exe	a8697821.exe
PID 3480 wrote to memory of 4580	3480	v4542108.exe	b7297296.exe
PID 3480 wrote to memory of 4580	3480	v4542108.exe	b7297296.exe
PID 3480 wrote to memory of 4580	3480	v4542108.exe	b7297296.exe
PID 4580 wrote to memory of 456	4580	b7297296.exe	pdates.exe
PID 4580 wrote to memory of 456	4580	b7297296.exe	pdates.exe
PID 4580 wrote to memory of 456	4580	b7297296.exe	pdates.exe
PID 3572 wrote to memory of 940	3572	v2156243.exe	c6702400.exe
PID 3572 wrote to memory of 940	3572	v2156243.exe	c6702400.exe
PID 3572 wrote to memory of 940	3572	v2156243.exe	c6702400.exe
PID 456 wrote to memory of 2508	456	pdates.exe	schtasks.exe
PID 456 wrote to memory of 2508	456	pdates.exe	schtasks.exe
PID 456 wrote to memory of 2508	456	pdates.exe	schtasks.exe
PID 456 wrote to memory of 5024	456	pdates.exe	cmd.exe
PID 456 wrote to memory of 5024	456	pdates.exe	cmd.exe
PID 456 wrote to memory of 5024	456	pdates.exe	cmd.exe
PID 5024 wrote to memory of 4692	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 4692	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 4692	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 1308	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 1308	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 1308	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 4640	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 4640	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 4640	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 2580	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 2580	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 2580	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 2984	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 2984	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 2984	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 4212	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 4212	5024	cmd.exe	cacls.exe
PID 5024 wrote to memory of 4212	5024	cmd.exe	cacls.exe
PID 1376 wrote to memory of 4796	1376	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe	d4301600.exe
PID 1376 wrote to memory of 4796	1376	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe	d4301600.exe
PID 1376 wrote to memory of 4796	1376	678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe	d4301600.exe

C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe
"C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
6⤵
- Creates scheduled task(s)
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4692

C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:N"
7⤵
PID:1308

C:\Windows\SysWOW64\cacls.exe
CACLS "pdates.exe" /P "Admin:R" /E
7⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2580

C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:N"
7⤵
PID:2984

C:\Windows\SysWOW64\cacls.exe
CACLS "..\925e7e99c5" /P "Admin:R" /E
7⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe
2⤵
- Executes dropped EXE
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe
Filesize
173KB

MD5
09ff9e8194b9ad0696f1a83a1e45a8bd

SHA1
bc6cc14f54612d4fb9a8c8cfd911b4c6c465622b

SHA256
a4c56e11f4141a85fc9f59202fdca3d1efedc3df744d5ae2cf6f513cbb2a598d

SHA512
93724ca75fc0d74f1e02155dbea45d6340f89914a7c22f4ce96518f3aa1214d506b2ceb6771a1501b74ac59e32a0a11bb070d09d17b91ed434f8a58ea5326125

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe
Filesize
359KB

MD5
f8b39bfd052a81ec0d573ebcaac1c566

SHA1
93d9f8e6c5dcc5b8b95f039298a5fb58f1d1e968

SHA256
e9cb245bfea68f9bf09c96927a2039e0179748356419234cf5d7074ec2dc3fcf

SHA512
64326fb13e0cf0ba39aa31fbc7d51e2552b7effec63bf1532a64503497e740238b41f74bfa77d12fce480d59e193735be5c330c2b47225ee9b25102bf4f1a49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe
Filesize
35KB

MD5
022c289b67255f1cae9a045e1ac11c7e

SHA1
63df7122392ecf04adee9d7b50146871eb860724

SHA256
82e2550165ef2417b2b73e68d53b4b2044edff94d615c3cc2e221cb878ffcfd6

SHA512
4f26f34a95ad5490ed491079ac38f645b48487cb0e0b7b5abffbb51d49e5294fb498d8c73ed7cd4cecc874dc259ec9d529d8eb4f542d3416ef07a5d7986b2148

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe
Filesize
234KB

MD5
14fe65ca4c39b12df68426389b633aed

SHA1
0536ff02c6028e3c48420555be37554fc6201c00

SHA256
b17e58f21b1a6a41ad1128690f0d562a055d70d0426ba4c394c57c792473e90f

SHA512
0b17c1d010132aaae35d58cfc7fe33df11f308d4589b2d48c737c444e77073d3e22f26050b647dbb520728d049cbd2b2eaf3477f893c84ae54dfd22816ceca9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe
Filesize
11KB

MD5
1767dda783c36bda069190df01c7467d

SHA1
4abc5215b48c67b2737aa8b103624cdc11c606c4

SHA256
00935df1dc707bc0a575565e8a67f077182679d20e76142d949f1131ada74dca

SHA512
a85598f6320fcccae160e7b37b44c572d66e52bc5b8efdcbe581fa3f51fbc4da9995d09415ad2ed4fc1d92dc8008925152a56f0b9703d9add5403dc20fe73208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe
Filesize
223KB

MD5
3251e050d74c269024a1f95e7c8bb02a

SHA1
97fea2859babf20a7284918694c62acb9c44ef43

SHA256
bd784f2a39cba15491697a55fc222dd825a52729e77fe151621f1d296bab8cb3

SHA512
b091edb615306fbb905d90cbb4ffdd5e0b324cba8a2521070997eb733f971bb6b34c65da61b47e752b29f3bbc9a27fd3ed7ab5da385c0a340e556c59e635996a

Download Submit
memory/940-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/940-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1200-21-0x0000000000760000-0x000000000076A000-memory.dmp

Filesize
40KB

Download
memory/1200-22-0x00007FFE9B9C3000-0x00007FFE9B9C5000-memory.dmp

Filesize
8KB

Download
memory/4796-45-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download
memory/4796-46-0x0000000005660000-0x0000000005666000-memory.dmp

Filesize
24KB

Download
memory/4796-47-0x000000000B170000-0x000000000B788000-memory.dmp

Filesize
6.1MB

Download
memory/4796-48-0x000000000ACF0000-0x000000000ADFA000-memory.dmp

Filesize
1.0MB

Download
memory/4796-49-0x000000000AC30000-0x000000000AC42000-memory.dmp

Filesize
72KB

Download
memory/4796-50-0x000000000AC90000-0x000000000ACCC000-memory.dmp

Filesize
240KB

Download
memory/4796-51-0x0000000002FD0000-0x000000000301C000-memory.dmp

Filesize
304KB

Download