Overview

overview

10

Static

static

3

05a0748d48...c0.exe

windows7-x64

3

05a0748d48...c0.exe

windows10-2004-x64

10

16b83c8926...86.exe

windows10-2004-x64

10

1e756c3dd2...17.exe

windows10-2004-x64

10

2d35abe32a...2d.exe

windows10-2004-x64

10

3754d1115a...68.exe

windows10-2004-x64

10

489287cb76...28.exe

windows10-2004-x64

10

4a64601cda...bb.exe

windows10-2004-x64

10

4f57ecadcb...56.exe

windows10-2004-x64

10

678b5c88fa...33.exe

windows10-2004-x64

10

6ade339142...e8.exe

windows7-x64

3

6ade339142...e8.exe

windows10-2004-x64

10

6e1ca7d8d7...d7.exe

windows10-2004-x64

10

7a398dd87e...55.exe

windows10-2004-x64

10

806347c33e...f1.exe

windows10-2004-x64

10

853890cb43...68.exe

windows10-2004-x64

10

85f2f1ff9e...04.exe

windows10-2004-x64

10

8ea62cf585...13.exe

windows7-x64

3

8ea62cf585...13.exe

windows10-2004-x64

10

af1379c2cb...5d.exe

windows10-2004-x64

10

b22005984d...40.exe

windows10-2004-x64

10

b567e2a99f...c5.exe

windows10-2004-x64

10

f8896ca2a9...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe

  • Size

    515KB

  • MD5

    48d8dd6d47882bd5e0431a0cf6d1a552

  • SHA1

    47b7610f1443096d9d442b5d8bce9054c8d529c1

  • SHA256

    489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28

  • SHA512

    721d7ec4e09ba8f857ce39e3509f688216f5dac18c3e5aaa215633492e04a40b8e9c569ddec5fbaf8b020ae50357990a5336fda52e6dced6437b02502a559708

  • SSDEEP

    12288:QMr9y90kVhlZSFHR0jsIpCE5NLNbPbE5uhI7tibmQmYoL:9yTZ60BpCEMuqJ+mEoL

Score
10/10
amadeyhealerredlinesmokeloadernasabackdoordropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe
    "C:\Users\Admin\AppData\Local\Temp\489287cb76171eb013ef8276977586b53061bbfae58f0a22402bd5aa83ff8d28.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3880
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1388
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4204
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1988
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:4508
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:1468
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:4440
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:1136
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:3232
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:5084
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:4292
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
                  2⤵
                  • Executes dropped EXE
                  PID:748
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:320
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:5012

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8694300.exe
                Filesize

                172KB

                MD5

                2a96746622fa30b8ba99bb493130fe71

                SHA1

                2df00e287eecd05b459b8f319e48b2db074227a2

                SHA256

                cbaf39a88af144f09eb435969816f5a8c3b05418d546ba545436b092381d6ddb

                SHA512

                57c9ac6c10d264fe9ac3d8d5413e11b6fb8628422058fb90011b04f2f27e81da808dc1eb2783ae8ed9cdd1fcde22c0f0bb0f4d01b9acec77f244efdc1875fc5b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6874300.exe
                Filesize

                359KB

                MD5

                2cd816112e2654e8e6d1d5e787e9bf64

                SHA1

                1578e56dc20951b2d391d5e2efd4ce785cf0f70b

                SHA256

                4042d3978e88bc0a60c28e661c1230b93c9f4afb5261582ffdbdf983eb5c0053

                SHA512

                c6a5aa7c82dce4d999062265d6389dc8d991e3e9218b45cdd957f593ed0fa49f1c2a3594815ccf7bc4185304f51f241d474d2a66942f98bd6afcd91170a314af

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9143825.exe
                Filesize

                32KB

                MD5

                caab6bdd594cf053c653510382e6299d

                SHA1

                18cc73141fb10b18448d68e31928da123ea7d9ba

                SHA256

                b7fbfc8a9db3cd7803e9a85ebfaf788163df49d2a581385388c0b04bab238c4a

                SHA512

                479a8da693c49c8dac91fb1d5fed9da53cbb0c0e69ba339d51934cdd73c387ff7ebbd4a0eda5e95dc1599e9d8710bbf353ee414181898ea9ec27cfdef8562f8d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5729178.exe
                Filesize

                235KB

                MD5

                b33ed449c8f14c6fb368a86bb106cfa0

                SHA1

                2d87fac952e475fedc5899d84c3fb6a530bd6df1

                SHA256

                aa7e2f4b57b1cfe177ed374ae52de66ef67d63d4939667d626a771e6c8ed595f

                SHA512

                52f4e528865df21ebf715e7a32d4928d7d280e3f03c8c0af5bc09094ae31ebe975c047c22f9856692b61891c7fa8107696e6d3fd78f09d19e88629443a1cf0e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4317860.exe
                Filesize

                14KB

                MD5

                b376a10928f6fe6080e26c262c6e1ffe

                SHA1

                abaa3561c3ea57806d17d62a5e03c629f7f1700c

                SHA256

                2a8ff60d89a4e89d0a3bfd586e0660aa7dec7e159743ccf2da80aeba770cddf9

                SHA512

                839f809a62fa320e4affbc2d3817504bee3983e9de9f92ba6c5179ac0645b4f4e8b16b27eefc92dfe65975ce7fcf745cd420a18e910fb0f2b9f5e23b078c9676

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3521762.exe
                Filesize

                227KB

                MD5

                64b4e0fd864249e80e2ca09d305f38d4

                SHA1

                fbdef845a041e25ae29e7a118a772d2d3f859e25

                SHA256

                525b363998ba283d3a861ccdee3b6f98c638edcda7bdbc5686a43df89045db1b

                SHA512

                d63df1c17cc8a4d5ff6b788cf09ffa7694f1d7533216c5256b41231335b79ed0eb9d34615ae63d25ca04e0f4df48c4702128c7f4d873e5489fef29de3ac83984

                Download Submit

              • memory/748-47-0x0000000005730000-0x000000000583A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/748-44-0x0000000000C80000-0x0000000000CB0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/748-45-0x0000000002E20000-0x0000000002E26000-memory.dmp

                Filesize

                24KB

                Download

              • memory/748-46-0x0000000005C40000-0x0000000006258000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/748-48-0x0000000005620000-0x0000000005632000-memory.dmp

                Filesize

                72KB

                Download

              • memory/748-49-0x0000000005680000-0x00000000056BC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/748-50-0x00000000056C0000-0x000000000570C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3880-22-0x00007FFD6E5B3000-0x00007FFD6E5B5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3880-21-0x0000000000C60000-0x0000000000C6A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4292-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download