amadey | 9805f81a13aaa68a2026a38b70b1fdd1d76fee0ff63916c669d728c6e4dc3b7e

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe
Size

389KB
MD5

54c918a054a58d3fe6838ce4c31344ae
SHA1

84132b9e7a9dfb09181d37588e2d69c9dfa7d8c7
SHA256

6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1
SHA512

2847ba4171fd4a050fce828595c3b066de2b69afff4f5d72877d36c24f14db541610d6260cd44c7530fc026792c1b5fae9f93b8b7dd18eaa870f9d86b14bf091
SSDEEP

6144:K0y+bnr+Xp0yN90QEcHiyKnpVK7KFibk30yxOF+2SlqcK+usm64j1pSSQAJM2Y:cMrPy90GSpk7KwbbyxwMqcRusmDZG

Score

10^/10

amadey healer redline krast dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://5.42.92.67

Attributes

install_dir
ebb444342c
install_file
legola.exe
strings_key
5680b049188ecacbfa57b1b29c2f35a7
url_paths
/norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

77.91.68.68:19071

Attributes

auth_value
9059ea331e4599de3746df73ccb24514

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral11/files/0x0008000000023447-12.dat	healer
behavioral11/memory/4056-14-0x0000000000190000-0x000000000019A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p9459476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p9459476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p9459476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p9459476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p9459476.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p9459476.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x0007000000023444-32.dat	family_redline
behavioral11/memory/2404-33-0x0000000000F80000-0x0000000000FB0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	r3698261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	legola.exe

Executes dropped EXE 7 IoCs

pid	Process
1168	z2215498.exe
4056	p9459476.exe
3400	r3698261.exe
3364	legola.exe
2404	t6863908.exe
1000	legola.exe
2740	legola.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p9459476.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2215498.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1596	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	p9459476.exe
4056	p9459476.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	p9459476.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3400	r3698261.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1168	828	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe	85
PID 828 wrote to memory of 1168	828	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe	85
PID 828 wrote to memory of 1168	828	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe	85
PID 1168 wrote to memory of 4056	1168	z2215498.exe	86
PID 1168 wrote to memory of 4056	1168	z2215498.exe	86
PID 1168 wrote to memory of 3400	1168	z2215498.exe	97
PID 1168 wrote to memory of 3400	1168	z2215498.exe	97
PID 1168 wrote to memory of 3400	1168	z2215498.exe	97
PID 3400 wrote to memory of 3364	3400	r3698261.exe	98
PID 3400 wrote to memory of 3364	3400	r3698261.exe	98
PID 3400 wrote to memory of 3364	3400	r3698261.exe	98
PID 828 wrote to memory of 2404	828	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe	99
PID 828 wrote to memory of 2404	828	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe	99
PID 828 wrote to memory of 2404	828	6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe	99
PID 3364 wrote to memory of 3580	3364	legola.exe	100
PID 3364 wrote to memory of 3580	3364	legola.exe	100
PID 3364 wrote to memory of 3580	3364	legola.exe	100
PID 3364 wrote to memory of 5012	3364	legola.exe	102
PID 3364 wrote to memory of 5012	3364	legola.exe	102
PID 3364 wrote to memory of 5012	3364	legola.exe	102
PID 5012 wrote to memory of 1428	5012	cmd.exe	104
PID 5012 wrote to memory of 1428	5012	cmd.exe	104
PID 5012 wrote to memory of 1428	5012	cmd.exe	104
PID 5012 wrote to memory of 4492	5012	cmd.exe	105
PID 5012 wrote to memory of 4492	5012	cmd.exe	105
PID 5012 wrote to memory of 4492	5012	cmd.exe	105
PID 5012 wrote to memory of 1420	5012	cmd.exe	106
PID 5012 wrote to memory of 1420	5012	cmd.exe	106
PID 5012 wrote to memory of 1420	5012	cmd.exe	106
PID 5012 wrote to memory of 2124	5012	cmd.exe	107
PID 5012 wrote to memory of 2124	5012	cmd.exe	107
PID 5012 wrote to memory of 2124	5012	cmd.exe	107
PID 5012 wrote to memory of 3384	5012	cmd.exe	108
PID 5012 wrote to memory of 3384	5012	cmd.exe	108
PID 5012 wrote to memory of 3384	5012	cmd.exe	108
PID 5012 wrote to memory of 3336	5012	cmd.exe	109
PID 5012 wrote to memory of 3336	5012	cmd.exe	109
PID 5012 wrote to memory of 3336	5012	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe
"C:\Users\Admin\AppData\Local\Temp\6c3c673ed879b79fe56de07cf67f2547b37ddb371c94a074e9184833681145b1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
      "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:N"
        6⤵
        
        PID:4492
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legola.exe" /P "Admin:R" /E
        6⤵
        
        PID:1420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:N"
        6⤵
        
        PID:3384
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ebb444342c" /P "Admin:R" /E
        6⤵
        
        PID:3336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe
  2⤵
  - Executes dropped EXE
  PID:2404

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6863908.exe

Filesize
173KB

MD5
9c4c016fc3d3e33c3c40210d5662e5de

SHA1
eac9ecdf3df4d559837dc771a27d13897cf43f5a

SHA256
fa89aaf9d9d40f1eadb1b7be875c2404e2cb353b75d5cd2a773aff3174dbba60

SHA512
c4b490fb0b482c5f3ce5d2ac25c18d1b489ea9b21b2418c580d641f7fdd1bacd8ff6a06594835199fae16dd9ec9e352920a3b6b0fcdfa8475dbeda573e195f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2215498.exe

Filesize
234KB

MD5
586d8efec84ddbcd7d95fb2e3003020b

SHA1
a4703fec900fdb713ab3e10da5d06ca552bf41ec

SHA256
75a0d266a2929f38d13b530c9127aa5429d9a26651a346e695d84f7ae97f5109

SHA512
b52dfb27a176c061285be5709fe0127e498a7b1360d91bc02f36cd0784499e39c2f42766fd5f943d635e3d5a08aed81e6ee43770185fc969263fc0c38d0a03f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p9459476.exe

Filesize
11KB

MD5
9047f06f90f6bcfc55824596c7d9f6ed

SHA1
f1f3342a87a4435e82123523d1f82c65347ed2b4

SHA256
357f195c3f5dd7b9c25b37254b8163d60a84266b4db5fa0316043316cdf9eefe

SHA512
2dba7866b439eb6084979be042b0c7ab6ce93b783dceb9891a464dbdbff5ed34e69e6d10bb13c74af7919c6e73fad2b393e9c8564ffcbf8ab8ea2dd76c77cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3698261.exe

Filesize
223KB

MD5
4fe9e60866f4c6480ece922aff5fd498

SHA1
c637eb736db34dce7786ddf20acd35a8954a635a

SHA256
fdf2d3f0e61d8c9e7566f585f50f465bdc8318220247c55460a117d576c35275

SHA512
efbb56a37935e87dea20813fadd6cf91ea0e1aea797d6f5e76fc83f64803cee5ba7b82a61858c40dfdc4ef0dae3844fd443c2e856f3a557b7d1e056bd262c08e

Download Submit
memory/2404-36-0x000000000ADF0000-0x000000000AEFA000-memory.dmp

Filesize
1.0MB

Download
memory/2404-33-0x0000000000F80000-0x0000000000FB0000-memory.dmp

Filesize
192KB

Download
memory/2404-34-0x00000000057A0000-0x00000000057A6000-memory.dmp

Filesize
24KB

Download
memory/2404-35-0x000000000B280000-0x000000000B898000-memory.dmp

Filesize
6.1MB

Download
memory/2404-37-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/2404-38-0x000000000AD90000-0x000000000ADCC000-memory.dmp

Filesize
240KB

Download
memory/2404-39-0x0000000005270000-0x00000000052BC000-memory.dmp

Filesize
304KB

Download
memory/4056-14-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/4056-15-0x00007FFF846E3000-0x00007FFF846E5000-memory.dmp

Filesize
8KB

Download