amadey | e22a5cadeacc1a9d95354d85bdc17f6ab2dc5d23efe7df6d3d4683fb7b881a52

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe
Size

515KB
MD5

48d8dd6d47882bd5e0431a0cf6d1a552
SHA1

47b7610f1443096d9d442b5d8bce9054c8d529c1
SHA256

489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28
SHA512

721d7ec4e09ba8f857ce39e3509f688216f5dac18c3e5aaa215633492e04a40b8e9c569ddec5fbaf8b020ae50357990a5336fda52e6dced6437b02502a559708
SSDEEP

12288:QMr9y90kVhlZSFHR0jsIpCE5NLNbPbE5uhI7tibmQmYoL:9yTZ60BpCEMuqJ+mEoL

Score

10^/10

amadey healer redline smokeloader nasa backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe	healer
behavioral7/memory/3880-21-0x0000000000C60000-0x0000000000C6A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a4317860.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4317860.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4317860.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4317860.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4317860.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4317860.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4317860.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe	family_redline
behavioral7/memory/748-44-0x0000000000C80000-0x0000000000CB0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b3521762.exedanke.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	b3521762.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 9 IoCs

Processes:

v6874300.exev5729178.exea4317860.exeb3521762.exedanke.exec9143825.exed8694300.exedanke.exedanke.exe

pid process

3620 v6874300.exe
3636 v5729178.exe
3880 a4317860.exe
1388 b3521762.exe
2164 danke.exe
4292 c9143825.exe
748 d8694300.exe
320 danke.exe
5012 danke.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a4317860.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4317860.exe

pid	process
3620	v6874300.exe
3636	v5729178.exe
3880	a4317860.exe
1388	b3521762.exe
2164	danke.exe
4292	c9143825.exe
748	d8694300.exe
320	danke.exe
5012	danke.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4317860.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exev6874300.exev5729178.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6874300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5729178.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c9143825.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9143825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9143825.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9143825.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4204 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a4317860.exe

pid process

3880 a4317860.exe
3880 a4317860.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a4317860.exe

description pid process

Token: SeDebugPrivilege 3880 a4317860.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b3521762.exe

pid process

1388 b3521762.exe

pid	process
4204	schtasks.exe

pid	process
3880	a4317860.exe
3880	a4317860.exe

description	pid	process
Token: SeDebugPrivilege	3880	a4317860.exe

pid	process
1388	b3521762.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exev6874300.exev5729178.exeb3521762.exedanke.execmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 3620	1532	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe	v6874300.exe
PID 1532 wrote to memory of 3620	1532	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe	v6874300.exe
PID 1532 wrote to memory of 3620	1532	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe	v6874300.exe
PID 3620 wrote to memory of 3636	3620	v6874300.exe	v5729178.exe
PID 3620 wrote to memory of 3636	3620	v6874300.exe	v5729178.exe
PID 3620 wrote to memory of 3636	3620	v6874300.exe	v5729178.exe
PID 3636 wrote to memory of 3880	3636	v5729178.exe	a4317860.exe
PID 3636 wrote to memory of 3880	3636	v5729178.exe	a4317860.exe
PID 3636 wrote to memory of 1388	3636	v5729178.exe	b3521762.exe
PID 3636 wrote to memory of 1388	3636	v5729178.exe	b3521762.exe
PID 3636 wrote to memory of 1388	3636	v5729178.exe	b3521762.exe
PID 1388 wrote to memory of 2164	1388	b3521762.exe	danke.exe
PID 1388 wrote to memory of 2164	1388	b3521762.exe	danke.exe
PID 1388 wrote to memory of 2164	1388	b3521762.exe	danke.exe
PID 3620 wrote to memory of 4292	3620	v6874300.exe	c9143825.exe
PID 3620 wrote to memory of 4292	3620	v6874300.exe	c9143825.exe
PID 3620 wrote to memory of 4292	3620	v6874300.exe	c9143825.exe
PID 1532 wrote to memory of 748	1532	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe	d8694300.exe
PID 1532 wrote to memory of 748	1532	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe	d8694300.exe
PID 1532 wrote to memory of 748	1532	489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe	d8694300.exe
PID 2164 wrote to memory of 4204	2164	danke.exe	schtasks.exe
PID 2164 wrote to memory of 4204	2164	danke.exe	schtasks.exe
PID 2164 wrote to memory of 4204	2164	danke.exe	schtasks.exe
PID 2164 wrote to memory of 1988	2164	danke.exe	cmd.exe
PID 2164 wrote to memory of 1988	2164	danke.exe	cmd.exe
PID 2164 wrote to memory of 1988	2164	danke.exe	cmd.exe
PID 1988 wrote to memory of 4508	1988	cmd.exe	cmd.exe
PID 1988 wrote to memory of 4508	1988	cmd.exe	cmd.exe
PID 1988 wrote to memory of 4508	1988	cmd.exe	cmd.exe
PID 1988 wrote to memory of 1468	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 1468	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 1468	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 4440	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 4440	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 4440	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 1136	1988	cmd.exe	cmd.exe
PID 1988 wrote to memory of 1136	1988	cmd.exe	cmd.exe
PID 1988 wrote to memory of 1136	1988	cmd.exe	cmd.exe
PID 1988 wrote to memory of 3232	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 3232	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 3232	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 5084	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 5084	1988	cmd.exe	cacls.exe
PID 1988 wrote to memory of 5084	1988	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe
"C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
6⤵
- Creates scheduled task(s)
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4508

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:N"
7⤵
PID:1468

C:\Windows\SysWOW64\cacls.exe
CACLS "danke.exe" /P "Admin:R" /E
7⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1136

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:N"
7⤵
PID:3232

C:\Windows\SysWOW64\cacls.exe
CACLS "..\3ec1f323b5" /P "Admin:R" /E
7⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
2⤵
- Executes dropped EXE
PID:748

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:320

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
Filesize
172KB

MD5
2a96746622fa30b8ba99bb493130fe71

SHA1
2df00e287eecd05b459b8f319e48b2db074227a2

SHA256
cbaf39a88af144f09eb435969816f5a8c3b05418d546ba545436b092381d6ddb

SHA512
57c9ac6c10d264fe9ac3d8d5413e11b6fb8628422058fb90011b04f2f27e81da808dc1eb2783ae8ed9cdd1fcde22c0f0bb0f4d01b9acec77f244efdc1875fc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
Filesize
359KB

MD5
2cd816112e2654e8e6d1d5e787e9bf64

SHA1
1578e56dc20951b2d391d5e2efd4ce785cf0f70b

SHA256
4042d3978e88bc0a60c28e661c1230b93c9f4afb5261582ffdbdf983eb5c0053

SHA512
c6a5aa7c82dce4d999062265d6389dc8d991e3e9218b45cdd957f593ed0fa49f1c2a3594815ccf7bc4185304f51f241d474d2a66942f98bd6afcd91170a314af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
Filesize
32KB

MD5
caab6bdd594cf053c653510382e6299d

SHA1
18cc73141fb10b18448d68e31928da123ea7d9ba

SHA256
b7fbfc8a9db3cd7803e9a85ebfaf788163df49d2a581385388c0b04bab238c4a

SHA512
479a8da693c49c8dac91fb1d5fed9da53cbb0c0e69ba339d51934cdd73c387ff7ebbd4a0eda5e95dc1599e9d8710bbf353ee414181898ea9ec27cfdef8562f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
Filesize
235KB

MD5
b33ed449c8f14c6fb368a86bb106cfa0

SHA1
2d87fac952e475fedc5899d84c3fb6a530bd6df1

SHA256
aa7e2f4b57b1cfe177ed374ae52de66ef67d63d4939667d626a771e6c8ed595f

SHA512
52f4e528865df21ebf715e7a32d4928d7d280e3f03c8c0af5bc09094ae31ebe975c047c22f9856692b61891c7fa8107696e6d3fd78f09d19e88629443a1cf0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
Filesize
14KB

MD5
b376a10928f6fe6080e26c262c6e1ffe

SHA1
abaa3561c3ea57806d17d62a5e03c629f7f1700c

SHA256
2a8ff60d89a4e89d0a3bfd586e0660aa7dec7e159743ccf2da80aeba770cddf9

SHA512
839f809a62fa320e4affbc2d3817504bee3983e9de9f92ba6c5179ac0645b4f4e8b16b27eefc92dfe65975ce7fcf745cd420a18e910fb0f2b9f5e23b078c9676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
Filesize
227KB

MD5
64b4e0fd864249e80e2ca09d305f38d4

SHA1
fbdef845a041e25ae29e7a118a772d2d3f859e25

SHA256
525b363998ba283d3a861ccdee3b6f98c638edcda7bdbc5686a43df89045db1b

SHA512
d63df1c17cc8a4d5ff6b788cf09ffa7694f1d7533216c5256b41231335b79ed0eb9d34615ae63d25ca04e0f4df48c4702128c7f4d873e5489fef29de3ac83984

Download Submit
memory/748-47-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/748-44-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/748-45-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/748-46-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/748-48-0x0000000005620000-0x0000000005632000-memory.dmp

Filesize
72KB

Download
memory/748-49-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/748-50-0x00000000056C0000-0x000000000570C000-memory.dmp

Filesize
304KB

Download
memory/3880-22-0x00007FFD6E5B3000-0x00007FFD6E5B5000-memory.dmp

Filesize
8KB

Download
memory/3880-21-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/4292-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download