amadey | 9805f81a13aaa68a2026a38b70b1fdd1d76fee0ff63916c669d728c6e4dc3b7e

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe
Size

514KB
MD5

553e00500d378ac6c88ebcb49f0c11b2
SHA1

b0640e712ebde50090ee39742411f065e998128c
SHA256

4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7
SHA512

3102d0c6d812f7220f60816f48e6a4d9dc0cfa84fe4fba947e661fa03f7870edeff42fdbb3f4df82040dcf5f8c2241187bb6264c59687a2a92ace8dffbf6399c
SSDEEP

12288:rMrry90RaLXTfYqGozYJ/1epNJeGQ9Fyw:IyNgqGozYB1eXsGQ/d

Score

10^/10

amadey healer redline smokeloader nasa backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

http://77.91.68.3

Attributes

install_dir
3ec1f323b5
install_file
danke.exe
strings_key
827021be90f1e85ab27949ea7e9347e8
url_paths
/home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4781726.exe	healer
behavioral7/memory/3184-21-0x0000000000900000-0x000000000090A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a4781726.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4781726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4781726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4781726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4781726.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4781726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4781726.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5387220.exe	family_redline
behavioral7/memory/3284-44-0x0000000000DF0000-0x0000000000E20000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2443085.exedanke.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	b2443085.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	danke.exe

Executes dropped EXE 9 IoCs

Processes:

v3360512.exev5875187.exea4781726.exeb2443085.exedanke.exec2732462.exed5387220.exedanke.exedanke.exe

pid process

940 v3360512.exe
2380 v5875187.exe
3184 a4781726.exe
1208 b2443085.exe
3148 danke.exe
4980 c2732462.exe
3284 d5387220.exe
4564 danke.exe
1724 danke.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

a4781726.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4781726.exe

pid	process
940	v3360512.exe
2380	v5875187.exe
3184	a4781726.exe
1208	b2443085.exe
3148	danke.exe
4980	c2732462.exe
3284	d5387220.exe
4564	danke.exe
1724	danke.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4781726.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exev3360512.exev5875187.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3360512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5875187.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c2732462.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2732462.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2732462.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c2732462.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4828 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a4781726.exe

pid process

3184 a4781726.exe
3184 a4781726.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a4781726.exe

description pid process

Token: SeDebugPrivilege 3184 a4781726.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b2443085.exe

pid process

1208 b2443085.exe

pid	process
4828	schtasks.exe

pid	process
3184	a4781726.exe
3184	a4781726.exe

description	pid	process
Token: SeDebugPrivilege	3184	a4781726.exe

pid	process
1208	b2443085.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exev3360512.exev5875187.exeb2443085.exedanke.execmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 940	2644	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe	v3360512.exe
PID 2644 wrote to memory of 940	2644	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe	v3360512.exe
PID 2644 wrote to memory of 940	2644	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe	v3360512.exe
PID 940 wrote to memory of 2380	940	v3360512.exe	v5875187.exe
PID 940 wrote to memory of 2380	940	v3360512.exe	v5875187.exe
PID 940 wrote to memory of 2380	940	v3360512.exe	v5875187.exe
PID 2380 wrote to memory of 3184	2380	v5875187.exe	a4781726.exe
PID 2380 wrote to memory of 3184	2380	v5875187.exe	a4781726.exe
PID 2380 wrote to memory of 1208	2380	v5875187.exe	b2443085.exe
PID 2380 wrote to memory of 1208	2380	v5875187.exe	b2443085.exe
PID 2380 wrote to memory of 1208	2380	v5875187.exe	b2443085.exe
PID 1208 wrote to memory of 3148	1208	b2443085.exe	danke.exe
PID 1208 wrote to memory of 3148	1208	b2443085.exe	danke.exe
PID 1208 wrote to memory of 3148	1208	b2443085.exe	danke.exe
PID 940 wrote to memory of 4980	940	v3360512.exe	c2732462.exe
PID 940 wrote to memory of 4980	940	v3360512.exe	c2732462.exe
PID 940 wrote to memory of 4980	940	v3360512.exe	c2732462.exe
PID 2644 wrote to memory of 3284	2644	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe	d5387220.exe
PID 2644 wrote to memory of 3284	2644	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe	d5387220.exe
PID 2644 wrote to memory of 3284	2644	4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe	d5387220.exe
PID 3148 wrote to memory of 4828	3148	danke.exe	schtasks.exe
PID 3148 wrote to memory of 4828	3148	danke.exe	schtasks.exe
PID 3148 wrote to memory of 4828	3148	danke.exe	schtasks.exe
PID 3148 wrote to memory of 4636	3148	danke.exe	cmd.exe
PID 3148 wrote to memory of 4636	3148	danke.exe	cmd.exe
PID 3148 wrote to memory of 4636	3148	danke.exe	cmd.exe
PID 4636 wrote to memory of 4892	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4892	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4892	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4352	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4352	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4352	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4048	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4048	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4048	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2652	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 2652	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 2652	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 3420	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 3420	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 3420	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2060	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2060	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2060	4636	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe
"C:\Users\Admin\AppData\Local\Temp\4288cf23e3f7079623b595c70496f28f4678e173ed25b2ef6101e66d3e99e2b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3360512.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3360512.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5875187.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5875187.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4781726.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4781726.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2443085.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2443085.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4828
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:N"
        7⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:R" /E
        7⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:N"
        7⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:R" /E
        7⤵
        
        PID:2060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2732462.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2732462.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5387220.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5387220.exe
  2⤵
  - Executes dropped EXE
  PID:3284

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5387220.exe

Filesize
174KB

MD5
44b079353be223f62c1d1839f5c366c0

SHA1
d83df1f2fec068ffe6f7213070a691dba3a6b0ce

SHA256
099d2afe51a4f5e880e605b76938da41b813f6948fceecbd341ce0ba5a45a7c1

SHA512
33d2c0dd7e8fb2d4028d276143dcacb1082d52a7a3db060cd862cd96f2912e5207ceea0290431f2badb57194924a87e42ec0523703c9b9e5b4236cf2f9cb0b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3360512.exe

Filesize
359KB

MD5
ded312afa77140fe823cb44ec4485042

SHA1
c279c93b58baad6c0ddb4b1ac7d0ed4ddf637057

SHA256
b3b061f2b4544656453666c30d45ee2e131cb77d54b2bb8c3bd2d323d31ae5bf

SHA512
c54450a35f5695b9bb91bef27d5cb18f97a5b0f2a79a179b3fb84490cf00548940e1e8205e0efe540ba15e5ca2f48b65aafca5e050f9fef8327ab4813a97cd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2732462.exe

Filesize
32KB

MD5
94afb8384b655860e0b77c8ca6200931

SHA1
319864292e0d2bfc7526b9c035810bc5b98070ed

SHA256
f6daf5683616a0354463d1033829182576d4fcdb02044323dd51cd12e07df429

SHA512
168b40c74a1706e5c4eaa2bc92cba9167173bc338c87e191ccd3e1c6501e722a33b997f223d88122155fd3aa6395e81c30b366ef2d6d8c6083c9cd7804aa0458

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5875187.exe

Filesize
235KB

MD5
09d904a000f63b258e5bad10de5f1b26

SHA1
07e523b50c05c5eb7f2989a19c924f37ff615ee3

SHA256
f6967f6c2083213475e2621df9a23d3683a65ef60451e7d6f221ea730b5b21e6

SHA512
1c0277231b5fdcba54d6ff404eb4531f1f1476f1a0786ec70e34e2c33a9447180a123473cbfa53b754b6084f38ec6a3e7cfc4428d2526f9692c4fc0e651372e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4781726.exe

Filesize
15KB

MD5
a18b4948b9077425fcff2f137e2177a8

SHA1
feabecf64bb8c5cea8292bdab6d6ad34b33c05c2

SHA256
bac5261eb318fb406e196c29e6d324af34b8f5b4ea6a6329522f88742a1a6982

SHA512
221ab6c2971e38d3fe336606576a9395565cd9d03f7383fec03941a1d632d70542c7a8cf1c7ba6afb77ad975d57ace9948ee01b20df22cd7701dd438b2c289ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2443085.exe

Filesize
227KB

MD5
75122262d5617fea555d27b2f4cdaf22

SHA1
a02a17cdba991da097d4682780c0f14bc9bf0e8c

SHA256
4379ffbd5592220272d5864a401354f23700e99a576889ace92a27fe612d0179

SHA512
4e2591d639161aeb82f35c4f7f6231d103a554576cc73a680a9495f57aa9c79955cc164e2b7176c5bddffb115019b594ff3c8f64dd7146e6737ad9b6241fd6f9

Download Submit
memory/3184-22-0x00007FFE96EC3000-0x00007FFE96EC5000-memory.dmp

Filesize
8KB

Download
memory/3184-21-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/3284-44-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/3284-45-0x0000000002F90000-0x0000000002F96000-memory.dmp

Filesize
24KB

Download
memory/3284-46-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/3284-47-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/3284-48-0x0000000005770000-0x0000000005782000-memory.dmp

Filesize
72KB

Download
memory/3284-49-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/3284-50-0x0000000005820000-0x000000000586C000-memory.dmp

Filesize
304KB

Download
memory/4980-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download